Bankrupt Oncology Provider’s $2.3M Settlement Payment & Other HIPAA Breach Consequences Shows Why To Prioritize HIPAA Compliance In 2018

December 29, 2017

The just-announced agreement $2.3 million (Resolution Amount) settlement by now bankrupt radiation oncology and cancer care provider 21st Century Oncology, Inc. (21CO)  is paying to settle Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules violation charges and other continuing post-breach fallout that helped push 21CO to file for Chapter 11 bankruptcy protection demonstrates again why HIPAA-covered health care providers, health plans, health care clearinghouses and their business associates (covered entities) must make HIPAA compliance and risk management a high priority in 2018.

Distinctive as the first HIPAA resolution agreement requiring bankruptcy court approval  and for the bankruptcy court’s order including a direction to the covered entity’s cyber liability insurer to pay the Resolution Payment and other investigation defense expenses, the 21CO resolution agreement resolves potential civil monetary penalty exposures the Fort Myers, Florida based provider of cancer care services and radiation oncology could have faced from the Department of Health & Human Services Office of Civil Rights (OCR) charges it violated HIPAA’s Privacy and Security Rules arising from the hacking and misappropriation of records containing sensitive electronic protected health information (ePHI) of up to 2,213597 individuals.

When their own 2018 HIPAA or other compliance investigation activities or planning HIPAA compliance and risk management activities, covered entities and their business associates and their leaders should use 21CO’s painful post-breach lessons experience to minimize their own HIPAA breach exposures, as well as consider how amendments to Internal Revenue Code Section 162(f) might impact the tax deductibility of certain compliance expenditures.

 21CO HIPAA Breaches & Fallout

The OCR charges against 21CO arose from an OCR investigation commenced after the Federal Bureau of Investigation (FBI) notified 21CO on November 13, 2015 and a second time on December 13, 2015 than unauthorized third party illegally obtained 21CO sensitive patient information and produced 21CO patient files purchased by a FBI informant.  As part of its internal investigation, 21CO hired a third party forensic auditing firm in November 2015. 21CO determined that the attacker may have accessed 21CO’s network SQL database as early as October 3, 2015, through Remote Desktop Protocol from an Exchange Server within 21CO’s network. 21CO determined that it is possible that 2,213,597 individuals may have been affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment and insurance information.

Although it knew of the breaches in November and December, 2015, 21CO delayed notifying patients of the data breach for more than three months after the FBI notified it of the breaches before it sent HIPAA or other breach notifications about the data breach to patients or notified investors in March, 2016. Its March 4, 2016 Securities and Exchange Commission 8-K on Data Security Incident (Breach 8-K) states 21CO delayed notification at the request of the FBI to avoid interfering in the criminal investigation of the breach.

When announcing the breach, 21CO provided all individuals affected by the breach with a free one-year subscription to the Experian ProtectMyID fraud protection service. At that time, 21CO said it had no evidence that any patient information actually had been misused.  However victims of the breach subsequently are claiming being victimized by a variety of scams since the breach in news reports and lawsuits about the breach.

At the time of the breach and its March 4, 2016 announcement of the breach, 21CO already was working to resolve other compliance issues.  On December 16, 2015, 21CO announced that a 21CO  subsidiary had agreed to pay $19.75 million to the United States and $528,000 in attorneys’ fees and costs and comply with a corporate integrity agreement related to a qui tam action in which it was accused of making false claims to Medicare and other federal health programs. See 21CO 8-K Re: Entry into a Material Definitive Agreement (December 22, 2015).  Among other things, the corporate integrity agreement required by that settlement required 21CO to appoint a compliance officer and take other steps to maintain compliance with federal health care laws.  In addition, five days after releasing the March 4, 2017 Breach 8-K, 21CO notified investors that its subsidiary, 21st Century Oncology, Inc. (“21C”), had agreed to pay $37.4 million to settle health care fraud law charges relating to billing and other protocols of certain staff in the utilization of state-of-the-art radiation dose calculation system used by radiation oncologists called GAMMA.  See 21CO 8-K Re: GAMMA Settlement March 9, 2016 ;  See also United States Settles False Claims Act Allegations Against 21st Century Oncology for $34.7 Million.

As the breaches impacted more than 500 individuals, 21CO’s HIPAA breaches were considered large breaches for purposes of the Breach Notification Rules.  It is the policy of OCR to investigate all large breach notifications filed under the HIPAA Breach Notification Rules.

Based on OCR’s subsequent investigation into these breaches, OCR found:

  • 21CO impermissibly disclosed certain PHI of 2,213,597 of its patients in violation of 45 C.F.R. § 164.502(a);
  • 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) held by 21CO in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A);
  • 21CO failed to implement certain security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306(A) in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B);
  •  21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports as required by 45 C.F.R. §164.308(a)(1)(ii)(D);
  • 21CO disclosed protected health information to a third party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement in violation of HIPAA’s business associate rule requirements under 45 C.F.R. §§ 164.502(e) and 164.308(b)(3).

The Resolution Agreement settles potential charges and exposures to potentially much higher civil monetary penalties that 21CO could have faced had OCR successfully prosecuted charges against 21CO for the breaches.   In return for OCR’s agreement not to further pursue charges or penalties relating to the breach investigation, the Resolution Agreement requires that 21CO pay OCR a $2.3 million Resolution Amount and implement to OCR’s satisfaction a corrective action plan that among other things requires that 21CO complete  the following corrective actions to the satisfaction of OCR:

  • To complete a risk analysis and risk management plan;
  • To revise its HIPAA policies and procedures regarding information system activity review to require the regular review of audit logs, access reports, and security incident tracking reports pursuant to 45 C.F.R. § 164.308(a)(1)(ii)(D);
  • To revise its policies and procedures regarding access establishment and modification and termination pursuant to 45 C.F.R. § 164.308(a)(4)(ii)(C) and 45 C.F.R. § 164.308(a)(3)(ii)(C) to include protocols for access to 21CO’s e-PHI by affiliated physicians, their practices, and their employees.
  • To distribute its policies to and educate its workforce on the updated and other HIPAA policies and procedures;
  • To provide OCR with an accounting of 21CO’s business associates that includes names of business associates, a description of services provided, a description of the business associate’s handling of 21CO’s PHI, the date services began and copies of the actual business associate agreement with each business associate; and
  • Submit an internal monitoring plan to OCR.

In addition to  the OCR investigation that lead to the new HIPAA resolution agreement announced by OCR on December 28, 2017, 21CO experienced other fallout following its March 4, 2016 public disclosure of the breach.  Not surprisingly, the breach notification led to a multitude of class-action civil lawsuits by breach victims and shareholders.  See, e.g., 16 Data Breach Class Action Lawsuits Filed Against 21st Century Oncology Consolidated; 21st Century Oncology data breach prompts multiple lawsuits.  Reports of spoofing and other misleading contacts made to 21CO patients following the breach prompted the Federal Trade Commission (FTC) to issue a specific notice alerting victims about potential false breach notifications and other misleading contacts.  See April 4, 2016 FTC Announcement Re: 21st Century Oncology breach exposes patients’ info.

These and other developments also had significant consequences on 21CO’s financial status and leadership.  By March 31, 2015, 21CO notified the SEC and investors that it needed added time to complete its financial statements.  Subsequent SEC filings document its restatement of financial statements, the departure of board members and other leaders,  default on credit terms, and ultimately its filing for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York on May 25, 2017.

Insurer Funding $2.3 Million Settlement Payment For Bankrupt 21CO

The 21CO resolution agreement required bankruptcy court approval,  Funds for payment of the required $2.3 million resolution payment and other charges associated with the investigation apparently are being provided in part from breach liability insurance coverage provided under a policy issued by Beazley Insurance, as the Bankruptcy Court order directs Beazley Breach Response Policy No. W140E2150301 to make immediate payment to the OCR of the resolution amount and the payment of fees incurred by 21CO in connection with regulatory defense issues.

Settlements Highlight Growing Risks Of Noncompliance, Lack Data Security

One of a growing multitude of multimillion dollar HIPAA resolution agreements to avoid HIPAA civil monetary sanctions that OCR already has announced, the 21CO resolution agreement announcement also comes when a steady stream of reports of massive data breaches at Alteryx, eBay, Paypal owner TIO Networks, Uber, Equifax and a long list of other previously trusted prominent businesses are stoking government and public awareness and concern over health care and other data privacy and cybersecurity.  Beyond their potenital HIPAA enforcement exposures, health care or other covered entities experiencing breaches often also face FTC or other government investigations and enforcement under the Fair and Accurate Credit Transactions Act (FACTA) and other federal or state identity theft, data privacy and security, electronic crimes and other rules as well as business losses and disruptiuons; civil litigation from breach victims, shareholders and investors, and business partners as well as OCR, FTC, and state data security regulation enforcement.  Amid this growing concern, OCR has indicated that it intends to continue to diligently both seek to support and encourage voluntary compliance by covered entities and their business associates and  investigate and enforce HIPAA against HIPAA covered entities and their business associates that fail to adequately safeguard PHI and ePHI in accordance with HIPAA. In the face of these growing risks and liabilities, covered entities and their business leaders face a strong imperative to clean up and maintain their HIPAA compliance and other data security to minimize their exposure to similar consequences.

In light of these rises, leaders, investors, insurers, lenders and others involved with covered entities and their business associates should take steps to verify that the covered entities and their business associates not only maintain compliance with HIPAA, but also maintain appropriate practices, insurance and other safeguards to prevent, respond to and mitigate exposures in the event of a breach of protected heatlh information or other sensitive data.

As a part of this planning, covered entities and their business associates also generally will want to add consideration of changes to federal tax rules on the deductibility of compliance penalty and other related compliance expenditures.  While the Internal Revenue Code traditionally has prohibited businesses and individuals from deducting penalties, fines and other expenditures arising from violations of federal or state laws under Section 162(f) of the Internal Revenue Code, Section Section 13306 of the Tax Cuts and Jobs Creation Act creates a new exception for amounts  (other than amounts paid or incurred any amount paid or incurred as reimbursement to the government or entity for the costs of any investigation or litigation) that a taxpayer establishes meet the following requirements:

  • Constitute restitution (including remediation of property) for damage or harm which was or may be caused by the violation of any law or the potential violation of any law, or
  • Are paid to come into compliance with any law which was violated or otherwise involved in the investigation or inquiry into a violation or potential violation of any law;
  • Are identified as restitution or as an amount paid to come into compliance with such law, as the case may be, in the court order or settlement agreement, and
  • In the case of any amount of restitution for failure to pay any tax imposed under this title in the same manner as if such amount were such tax, would have been allowed as a deduction under this chapter if it had been timely paid.

Because the true effect of these modifications will be impacted by implementing regulations and a number of other special conditions and rules may impact the deductibility of these payments and the reporting obligations attached to their payment, covered entities will want to consult with legal counsel about these rules and monitor their implementation to understand their potential implications on compliance expenditures and penalties.

About The Author

Repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, a Fellow in the American College of Employee Benefit Council, the American Bar Foundation and the Texas Bar Foundation and board certified in labor and employment law by the Texas Board of Legal Specialization, Cynthia Marcotte Stamer is a practicing attorney, management consultant, author, public policy advocate and lecturer widely known for health and managed care, employee benefits, insurance and financial services, data and technology and other management work, public policy leadership and advocacy, coaching, teachings, and publications. Nationally recognized for her work, experience, leadership and publications on HIPAA and other medical privacy and data use and security, FACTA, GLB, trade secrets and other privacy and data security concerns, Ms. Stamer has worked extensively with clients and the government on cybersecurity, technology and processes and other issues involved in the use and management of medical, insurance and other financial, workforce, trade secrets and other sensitive data and information throughout her career.  Scribe or co-scribe of the ABA Joint Committee on Employee Benefits Agency meeting with OCR since 2011 and author of a multitude of highly regarded publications on HIPAA and other health care, insurance, financial and other privacy and data security, Ms. Stamer is widely known for her extensive and leading edge experience, advising, representing, training and coaching health care providers, health plans, healthcare clearinghouses, business associates, their information technology and other solutions providers and vendors, and others on HIPAA and other privacy, data security and cybersecurity design, documentation, administration, audit and oversight, business associate and other data and technology contracting, breach investigation and response, and other related concerns including extensive involvement representing clients in dealings with OCR and other Health & Human Services, Federal Trade Commission, Department of Labor, Department of Treasury, state health, insurance and attorneys’ general, Congress and state legislators and other federal officials.

Ms. Stamer also has an extensive contributes her leadership and insights with other professionals, industry leaders and lawmakers.    Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.


Health Care Org’s ERISA Health Plan Reimbursement Opportunities & Compliance Obligations Free 9/15 Study Group Topic

September 9, 2015

Solutions Law Press, Inc. is happy to share information about this upcoming free health industry study group meeting on 9/15/2015 in Irving, Texas.

NORTH TEXAS HEALTHCARE COMPLIANCE PROFESSIONALS ASSOCIATION

Invites Members and Guests to Our Next Group Luncheon

Employee Benefit Security Administration Insights On Healthcare Organization’s Health & Other Employee Benefit Plan Rights & Responsibilities Under Employee Retirement Income Security Act

Featuring

Kristi Gotcher

U.S. Department of Labor Employee Benefit Security Administration Investigator

Tuesday, September 15, 2015

11:30 a.m. to 1:30 p.m.

DFW Hospital Council Offices

250 Decker Drive

Irving, Texas

RSVP here  by Noon on September 14, 2015

Space Limited!  Register Early To Reserve Your Spot To Participate!

 

Please share this invitation with others who might be interested in this topic or other NTHCPA events!

The North Texas Healthcare Compliance Professionals Association (NTHCPA) invites members and other interested health care compliance professionals to join us on Tuesday, September 15, 2015 from 11:30 a.m. to 1:30 p.m. for our Study Group Luncheon featuring a program on “Employee Benefit Security Administration Insights On Healthcare Organization’s Health & Other Employee Benefit Plan Rights & Responsibilities Under Employee Retirement Income Security Act” from U.S. Department of Labor Employee Benefit Security Administration (EBSA) Investigator Kristi Gotcher.

The health and other employee benefit plan rules of the Employee Retirement Income Security Act (ERISA) generally offer important protections and create significant compliance challenges for health care organizations and providers.  On one hand, health care providers generally rely heavily on their or their patient’s ability to obtain health benefits promised under employer or union-sponsored health plans covering their patients to help reimbursement provider charges.  Meanwhile, health care providers and their leaders also can incur significant liability for failing to comply with ERISA’s rules when establishing and maintaining health or other employee benefit programs for their own employees.  Drawing on her involvement as investigator with the Department of Labor agency primarily responsible for both interpreting and enforcing ERISA’s rules, EBSA Ms. Gotcher will share key updates and insights on both how ERISA and the EBSA can help patients and providers enforce benefit rights under ERISA-covered health plans and key health and highlight employee benefit compliance responsibilities that health care organizations and their leaders need to ensure that their own health and other employee benefit programs meet to avoid violating ERISA.

About the Speaker

Kristi A. Gotcher is an Investigator with the United States Department of Labor, Employee Benefits Security Administration (EBSA) in the Dallas Regional Office.   Kristi began working for EBSA in the Dallas Regional Office in November 2007 as a Benefits Advisor.  She earned her Bachelor of Arts in Social Political Relations from St. Edwards University and a J.D. from Texas Wesleyan University School of Law (now Texas A&M University School of Law).  Ms. Gotcher is licensed to practice law in the State of Texas.

Registration & Meeting Details

The meeting scheduled from 11:30 a.m. to 1:30 p.m. on Tuesday, September 15, 2015 at the DFW Hospital Council Offices located at 250 Decker Drive, Irving Texas.  Participants who timely R.S.V.P. will enjoy a complimentary luncheon. Networking and lunch service will begin at 11:30. Our program will begin at Noon.

NTHCPA encourages members and other interested health care compliance professionals to register early to reserve their spot to participate and to share this invitation with others in the industry who might benefit from participation.

There is no charge to participate in the meeting.  However space is limited and available only on a first come, first serve basis.  To ensure your spot and help us to arrange for adequate space and refreshments for this meeting, R.S.V.P. here as soon as possible and no later than Noon on September 14, 2015.  Walk in guests will be accommodated on a space-available basis only.

Thanks To Meeting Underwriter Stamer ׀ Chadwick ׀ Soefje, PLLC

NTHCPA and its members extend our thanks to Cynthia Marcotte Stamer, P.C. and the other members of Stamer ׀ Chadwick ׀ Soefje PLLC for underwriting this month’s study group luncheon and other support of NTHCPA.

A boutique firm of exceptionally experienced and skilled “big-firm” lawyers committed to changing the way law firms serve their clients, Stamer │Chadwick │Soefje, PLLC delivers sophisticated legal advice and innovative solutions to the most challenging and complex problems. Simply put, Stamer │Chadwick │Soefje, PLLC attorneys are “Solutions Lawyers™.”

Stamer │Chadwick │Soefje, PLLC attorneys deliver sophisticated legal advice and innovative solutions to the most challenging and complex problems. Stamer │Chadwick │Soefje, PLLC attorneys possess the breadth of experience to respond to the unique legal and operational challenges health industry and other clients face and help guide them toward pragmatic resolutions that make sense for them. “Solutions Lawyers™ possess the breadth of experience to respond to the unique challenges our corporate and individual clients face and help guide them toward pragmatic resolutions that make sense for them.

Founded by nationally-known, healthcare and labor & employment attorney Cynthia Marcotte Stamer; labor & employment attorney Robert G. Chadwick; and professional liability and civil litigation attorney Timothy B. Soefje, Stamer │Chadwick │Soefje, PLLC focuses on advising and representing businesses and professionals nationally in the areas of healthcare, cyber liability, ERISA, employee benefits, labor & employment, corporate and commercial litigation, professional liability, construction litigation, and insurance defense.  All three attorneys are rated AV® Preeminent™ by Martindale-Hubbell® Peer Review Ratings™ Ms. Stamer and Mr. Chadwick are both Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, are Fellows in the American Bar Foundation, and recognized as “Top Lawyers” in Labor and Employment Law.  Ms. Stamer also has received recognition as a “Top” attorney in health care and employee benefits law and is a Fellow in the American College of Employee Benefit Council.

Ms. Stamer more than 28 years’ experience advising and representing health industry and employee benefit clients on a wide range of legal, public policy, management and operational concerns as well as extensive leadership and management experience serving in on the board of health industry nonprofit organizations. Nationally recognized for her legal work, advocacy, publications, writings and presentations on health industry concerns, Ms. Stamer provides legal and management advice, training and coaching, defense, public policy and regulatory advocacy to health industry and other clients on health and other regulatory and operational compliance, federal and state public policy and enforcement, managed care and other contracting, reimbursement, fraud, quality, employment, staffing and other workforce, benefits, licensing, credentialing and peer review, safety, disaster preparedness and response, HIPAA and other privacy and data security, corporate governance, investigations and internal controls, and a host of other health industry compliance and risk management and other legal and operational concerns. In addition to her legal experience, Ms. Stamer also contributes her experience and talents to serving in a number of health industry and other civil and professional groups.  Among other things, Ms. Stamer serves as Vice President of the NTHCPA, the RPTE representative to the American Bar Association (ABA) Joint Committee on Employee Benefits Council and scrivener for its annual agency meeting with the Office of Civil Rights, the ABA International Section Life Sciences and Health Law Committee Vice President of Policy, RPTE Liaison to the ABA Health Care Coordinating Counsel, TIPS Employee Benefit Committee Vice Chair, Founder and Executive Director of the Project COPE:  The Coalition on Patient Empowerment, and National Physicians Council for Healthcare Policy.  She also previously served as President and Founding Board Member of the Alliance for Health Care Excellence and its Health Care Heroes and Patient Empowerment Programs, as RPTE Employee Benefits & Other Compensation Group Chair and Welfare Benefit Committee Vice Chair, Exempt Organizations Coordinator of the Gulf States Area TEGE Council, Board President and Audit Committee Chair of the Richardson Development Center for Children ECI Agency, National Kidney Foundation of North Texas Board Audit Committee Chair, the United Way of North Texas Long Range Planning Committee.  She also has and continues to serve in the leadership of many other civic and professional boards, seminar faculties, editorial advisory boards and publishes and speaks extensively on health industry and employee benefit related concerns.

Mr. Chadwick has extensive experience advising and defending health industry and other clients on OSHA and other occupational health and safety, employee benefits, compensation and other labor and employment  concerns as well as defending boards and other management leaders against management liability claims.

Mr. Soefje has extensive experience advising and representing health industry clients and professionals on medical malpractice, officers and directors liability and other professional liability, errors and omissions, construction defect and other litigation and disputes.

For additional information, contact Ms. Stamer cstamer@solutionslawyer.net

About the NTHCPA

NTHCPA exists to champion ethical practice and compliance standards and to provide the necessary resources for ethics and compliance Professionals and others in North Texas who share these principles.  The vision of NTHCPA is to be a pre-eminent compliance and ethics group promoting lasting success and integrity of organizations within North Texas.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available hereYou also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:


Check Defensibility Of Policies & Practices Given New HHS/DOJ Joint Disability Law Technical Assistance

August 10, 2015

Child welfare agencies, health care providers and their contactors and other service providers should evaluate the adequacy and defensibility of their existing practices for accommodating and providing other services to individuals with disabilities and their families in light of the new joint technical assistance to state and local child welfare agencies and courts on the requirements of Title II of the Americans with Disabilities Act (ADA) and Section 504 of the Rehabilitation Act jointly announced by the Departments of Health & Human Services (HHS) and the Justice (DOJ) under a new HHS/DOJ partnership intended to help child welfare agencies protect the welfare of children and ensure compliance with nondiscrimination laws announced here August 10, 2015.

Federal child welfare and discrimination laws generally prohibit discrimination on the basis of disability, and require providers of government programs, services, and activities to make reasonable modifications to their policies and practices when necessary to avoid discrimination on the basis of disability, unless such modifications would fundamentally alter the nature of the program or the services.  The new joint technical assistance addresses disability discrimination complaints that HHS and DOJ say the agencies have received from parents who have had their children taken away or otherwise have not been given equal opportunities to become foster or adoptive parents.

The technical assistance provides an overview of Title II of the ADA and Section 504 and examples about how to apply them in the child welfare system, including child welfare investigations, assessments, guardianship, removal of children from their homes, case planning, adoption, foster care, and family court hearings, such as termination of parental rights proceedings.  It also underscores that Title II and Section 504 prohibit child welfare agencies from acting based on unfounded assumptions, generalizations, or stereotypes regarding persons with disabilities.

HHS and DOJ hope “[p]roviding this technical assistance to state and local agencies and courts will help ensure that families who have a member with a disability get equal access to vital child welfare services,” said Mark Greenberg, HHS’ Administration for Children and Families’ Acting Assistant Secretary.

The new child welfare technical assistance is part of a broader ongoing emphasis on investigation and enforcement of disability and other discrimination laws by HHS, DOJ and other agencies under the Obama Administration. Under the Obama Administration, HHS, DOJ and other agencies already have heavily sanctioned many child welfare, health care and other agencies and providers for alleged violation of these and other federal disability discrimination laws.  See, e.g., Health Care Employer’s Discrimination Triggers Medicare, EEOC Prosecutions; Hospital Will Pay $75K For Refusing To Hire Disabled Worker;  OCR Settlements Show Health Care & Disabled Housing Providers Face Growing Disability Discrimination RisksGenesis Healthcare Disability HHS OCR Discrimination Settlement Reminder To Use Interpreters, Other Needed Accommodations For Disabled.   In the face of this emphasis, child welfare, health care and other agencies and their legal counsel and other service providers should expect greater deference and enforcement to the needs of children and parents with disabilities in child custody, adoption, divorce and other proceedings, as well as continued investigation and enforcement of disability and other discrimination laws against child welfare, health care, and other social service agencies, their legal counsel and other advocates and others providing services.  These and other organizations and service providers should  evaluate the defensibility of the existing policies, practices and recordkeeping practices of their own organization, as well as those of their contractors and subcontractors in light of these and other disability discrimination laws, regulations and enforcement practices.

For More Advice, Assistance Or More Information

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Ms. Stamer is a highly regarded practicing attorney with extensive health industry legal and policy experience, also recognized as a knowledgeable and highly popular health industry thought and policy leader, who writes and publishes extensively  on health industry concerns. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, recognized as a “Top” lawyer in Health Care, Labor and Employment and Employee Benefits Law, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 27 years experience advising health industry clients about these and other matters. Her experience includes advising and defending hospitals, nursing home, home health, physicians and other health care professionals, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies and programs in response under CMS, OCR, HHS, FDA, IRS, DOJ, DEA, NIH, licensing, and other regulations; prevent, conduct and investigate, and respond to Board of Medicine, OIG, DOJ, DEA, DOD, DOL, Department of Health, Department of Aging & Disability, IRS, Department of Insurance, and other federal and state regulators; ERISA and private insurance, prompt pay and other reimbursement and contracting; peer review and other quality concerns; and other health care industry investigation, and enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. This experience includes extensive work advising and defending physicians, practices, hospitals and other health care organizations and others about Medicare and other health care billing and reimbursement practices,  as well as advising and defending providers against Medicare, Medicaid, Tricare and other audits, prepayment suspensions, provider exclusions and provider number revocation, and counseling and defending providers, medical staff and peer review committees, hospitals, medical practices and other health care organizations and others in relation to the conduct of audits and investigations, peer review investigations and discipline, employment, licensing board and other associated events.

The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights,  past Board President of the Richardson Development for Children and former Board Audit Committee Chair of the National Kidney Foundation of North Texas, Ms. Stamer has lead, advised, represented and conducted training and investigations of disability and other legal and operations risk management and compliance for early childhood intervention (ECI) and other childcare, health care, public and private schools, social service and other public and private organizations.  Ms. Stamer also  has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns.  Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.  In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans,  as well as  HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for  Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others. Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer such as the following, see here:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. ©2015 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press, Inc.  All other rights reserved.


7 Arrested, Charged In Detroit-Area Home Health Care Fraud Takedown

January 18, 2013

January 17, 2013; U.S. Department of Justice

Seven Arrested, Charged with $22 Million Detroit-area Home Health Care Fraud Scheme

Six Detroit-area residents and one Chicago-area resident were arrested on January 17, 2012 by federal agents on charges arising from the ongoing investigation into an alleged $22 million home health care fraud scheme that the indictment charges operated out of four Oakland County, Michigan home health agencies claiming to provide in-home health service, Royal Home Health Care Inc., Prestige Home Health Services Inc., Platinum Home Health Services Inc. and Empirical Home Health Care Inc. (the “Agencies”).  The defendants arrested are Detroit-area residents Muhammad Aamir, Usman Butt, Hemal Bhagat, Syed Shah, Tariq Tahir, and Raquel Ellington, and Chicago-area resident Tayyab Aziz (the “Defendants”).

According to the Justice Department, the arrests and Medicare payment suspensions stem from charges brought in an 18-count indictment returned January 15, 2013, which alleges that the Defendants participated in a Medicare fraud scheme operating out of the Agencies. The indictment alleges Medicare paid the agencies approximately $22 million for fraudulently reported services since August 2008. See Aamir, Muhammed et al. (Prestige) Indictment.  In addition to the arrests, law enforcement agents suspended Medicare payments to the Agencies associated with the alleged scheme.

According to the indictment, Aamir and Butt owned and operated Prestige; Butt, Bhagat and Shah owned and operated Royal; and Aamir owned and operated Platinum and Empirical.  The indictment alleges that of the Agencies allegedly claimed to provide home health therapy services to Medicare beneficiaries that were unnecessary and/or were never performed.  The indictment also alleges that Tahir and Ellington recruited Medicare beneficiaries, paying them kickbacks for their Medicare information and signatures on documents that detailed physical therapy and/or skilled nursing services that were either never rendered or not medically necessary.  The indictment also charges Aamir, Butt, Bhagat, Shah, Tahir and Ellington with conspiring to pay kickbacks to Tahir and Ellington for their recruiting work and Butt, Bhagat, Shah and Aziz with allegedly conspiring to launder the proceeds of the scheme.

Based on the alleged conduct, the indictment charges each of the Defendants with conspiracy to commit health care fraud.  All but Aziz are also charged with health care fraud and with conspiracy to violate the Anti-Kickback Statute.  Butt, Bhagat, Shah and Aziz are additionally charged with conspiracy to commit money laundering.

A conviction on the charges is likely to carry heavy penalities.  The charges of health care fraud conspiracy and health care fraud each carry a maximum potential penalty of 10 years in prison and a $250,000 fine.  The charge of conspiracy to violate the Anti-Kickback Statute carries a maximum potential penalty of five years in prison and a $25,000 fine.  The charge of conspiracy to commit money laundering carries a maximum potential penalty of 20 years in prison and a $500,000 fine.
 
The arrests and indictments reflect the continuing and growing government commitment to, coordination and sophistication in the investigation and prosecution of health care crimes by health care providers in the federal war on what officials view as health care fraud.  The Obama Administration has made investigation and prosecution of health care fraud laws a key element of its strategy to manage U.S. health care program costs. Recently enacted changes in the False Claims Act and other laws are making it easier for federal prosecutors to successfully prosecute these and other health care fraud cases.

Since their inception in March 2007, the the HEAT health care fraud task force operations in nine locations have lead to charges against more than 1,480 defendants who Federal officals claim collectively have falsely billed the Medicare program for more than $4.8 billion.  In addition, the HHS Centers for Medicare and Medicaid Services, working in conjunction with the HHS-OIG, are taking steps to exclude and impose other remedies against health care providers that it perceives engage in fraud or other aggressive billing or other practices.These and other stepped up oversight and enforcement activities make it critical that all health industry organizations strengthen their internal controls, compliance and audit activities as well as be prepared to defend their actions against the rising tide of federal and state oversight and enforcement.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

If you need help with HIPAA or other health industry, regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Scheduled to serve as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR, Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

If you need help with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer hereExamples of some recent publications that may be of interest include:

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives.  Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs.  For additional information about upcoming programs, to explore becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com   These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship, to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com.  CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request.

 ©2013 Cynthia Marcotte Stamer, P.C. All rights reserved.


TSHHRAE Provides Health Industry Managers Employment Law Update & Other Timely Management Training At April Barnstorm 2010: Creating Effective Leaders Programs

March 23, 2010

Get Details & Registration Information here!

A Legal Update on Employment Law presentation by Attorney Cynthia Marcotte Stamer is among 5 hours of “Barnstorm 2010: Creating an Effective Leaders-Tools of the Trade” management training that the Texas Society for Healthcare Human Resources Administration and Education (TSHHRAE) will be hosting for health industry human resources and other managers in five Texas cities between April 26 and April 30, 2010. 

Interested health industry human resources and other managers can elect to participate in TSHHRAE’s Barnstorm 2010 management training at the following dates and locations:  

  • April 26 – Weslaco, Knapp Medical Center
  • April 28 – Sweetwater, Rolling Plains Memorial Hospital
  • April 28 – Brenham, Trinity Medical Center
  • April 29 – Lubbock, University Medical Center
  • April 30 – Odessa, Medical Center Hospital

Update on Employment Law Program Highlights

Ms. Stamer’s Legal Update on Employment Law Program will address:

  • Recent changes in FMLA, Military Leave, wage and hour, ADA & other disability, COBRA, GINA, HIPAA and other selected federal & Texas employment laws and regulations;
  • Rising government enforcement of EEOC, HIPAA, wage & hour, worker classification, and other laws and regulations;
  • Recent developments and increases in retaliation claims;
  • Recent cases related to supervision; and
  • Other selected developments impacting health industry human resources management.

Other Barnstorm 2010 Program Highlights and Details

In addition to the Legal Update on Employment Law that Ms. Stamer is scheduled to present, the Barnstorm Program also will feature presentations on:

  • Leadership in 2010
  • Dealing with Poor Performers; and
  • Cultivating a Superstar

For registration and other information about the Barnstorm Program, see here.

About Ms. Stamer

Nationally and internationally recognized for more than 22 years of work with health industry and other organizations, publications, workshops and presentations and leadership on health industry and other labor and employment, staffing and credentialing, employee benefits, performance management and discipline, regulatory compliance and internal controls, risk management, and public policy matters, Ms. Stamer is Chair of the Curran Tomko Tarski Labor & Employment & Health Care Practice Groups, Vice President of the North Texas Health Care Compliance Professionals Association, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is.  The publisher of Solutions Law Press HR & Benefits Update, the Solutions Law Press Health Care Update, and Solutions Law Press Health Care Privacy & Technology Update and a former legal columnist for MD News, Ms. Stamer also is a popular speaker and author of these topics.  She regularly speaks and conducts training for the ABA, American Health Lawyers Association (AHLA), Health Care Compliance Association, Institute of Internal Auditors, Harris County Medical Society, the Medical Group Management Association, SHRM, Southwest Benefits Association and many other organizations.  Publishers of her many highly regarded writings on health industry and human resources matters include the Bureau of National Affairs, Aspen Publishers, ABA, AHLA, Spencer Publications, World At Work, SHRM, Business Insurance, James Publishing and many others.  You can review other highlights of Ms. Stamer’s health care experience here, and employment experience hereHer insights on these and other matters appear in Managed Care Executive, Modern Health Care, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, MDNews, Kentucky Physician, and many other national and local publications.

If you need assistance with health industry human resources or other management, concerns, wish to inquire about compliance, risk management or training, or need legal representation on other matters please contact Cynthia Marcotte Stamer at cstamer@cttlegal.com or 214.270.2402. 

Other Resources

If you found this information of interest, you also may be interested in reviewing other updates and publications by Ms. Stamer including:

For More Information

We hope that this information is useful to you.  If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

©2010 Cynthia Marcotte Stamer.  All rights reserved.


HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website

February 25, 2010

By Cynthia Marcotte Stamer

The Department of Health and Human Services Office of Civil Rights (OCR) has begun posting on its website the names and certain information about health care providers, health insurers,  employer and other health plans, health care clearinghouses and their business associates (Covered Entities) reporting to OCR “breaches” of “unsecured protected health information” (UPHI) under new breach notice rules added by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Covered Entities should anticipate the posting of the breach information and other HITECH Act breach notices coupled with amendments to the medical privacy and security requirements of the Health Insurance Portability & Accountability Act (HIPAA) effective since February 17, 2010, will heighten enforcement risks and public sensitivities about medical information privacy safeguards.  As failing to comply with the amended rules effective February 17, 2010 can trigger obligations under the Breach Regulations and other significant liability exposures, Covered Entities should act quickly to manage these emerging risks.

Covered Entity Breach Notification Requirements

The initial list of Covered Entities reporting  breaches of UPHI affecting 500 or more individuals posted by OCR on February 22, 2010 discloses the Covered Entity’s name and State, the approximate number of individuals affected, the date and type of breach and the location of the breached information. OCR’s posting of this information is required under the HITECH Act breach notification requirements as part of its implementation and enforcement of new breach notification requirements added to HIPAA by Section 13402(e)(3) of the HITECH Act.

The HITECH Act amended HIPAA to require Covered Entities to require Covered Entities provide notification to individuals, OCR and others when certain breaches of UPHI happen.  The implementing interim “Breach Notification For Unsecured Protected Health Information” regulations (Breach Regulation) published by OCR here require Covered Entities subject to HIPAA to notify affected individuals, OCR and in some cases the media within specified periods following a “breach” of UPHI occurring on or after September 23, 2009 unless the Covered Entity can demonstrate that the breach qualified as exempt from the breach notification obligation under the Breach Regulations.

Covered Entities generally should consider the need to provide breach notification under the Breach Regulation whenever electronic or non-electronic protected health  information which is not adequately encrypted or destroyed to qualify as “secured” under the breach rules is used, accessed or disclosed in violation of HIPAA.  

Since the potential need to provide breach notification is triggered by an impermissible use, access or disclosure of UPHI, up-to-date maintenance, monitoring and enforcement is at the heart of compliance with the Breach Regulation as well as HIPAA generally.

You can review the currently posted list of Covered Entities that have reported breaches on the OCR website here.  Learn more about the Breach Regulation requirements here

Broader & Stricter Medical Privacy Mandates Effective 2/17/210

The new breach notification requirements are part of a series of changes made to HIPAA under the HITECH Act that are increasing the responsibilities and liability exposures of Covered Entities. On February 17, 2010, Covered Entities and their business associates also became subject to tighter federal requirements for the use, access, protection and disclosure of protected health information under amendments to HIPAA’s Privacy & Security Standards enacted in the HITECH Act. When the HITECH Act was signed into law on February 17, 2009, Covered Entities also became subject to expanded sanctions and remedies for HIPAA violations.

To comply with the HITECH Act changes to HIPAA effective on February 17, 2010, most Covered Entities and their business associates generally will need to update their written policies, operational procedures, technical safeguards, privacy notices, vendor and other agreements, training, and other management procedures in several respects. For more details, see here.

While the HITECH Act gave Covered Entities and business associates a year to complete the necessary arrangements to comply with these HITECH Act changes, many Covered Entities and business associates have not adequately implemented the necessary arrangements. To mitigate these exposures, Covered Entities and their business associates should act quickly to review and update their policies, procedures, training, business associate and other services agreements, and other practices and procedures, as well as to implement the training, oversight, and other management necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

Exposures Significant & Growing

HIPAA-associated exposures for Covered Entities are significant and growing. Timely action to comply with the amended HIPAA requirements and Breach Regulations is important to avoid triggering the breach notification requirements; to prevent loss of public trust and reputation;  and to minimize exposures to legal actions, administrative complaints and sanctions and the  investigation, defense and correction costs likely to result when a Covered Entity violates or is accused of violating HIPAA or otherwise mishandling medical or other personal information. 

Even before the HITECH Act changes became effective, federal regulators were stepping up HIPAA enforcement. The HITECH Act amendments further increase the risk that Covered Entities violating HIPAA face investigation and sanction. The HITECH Act amendments increase the likelihood that Covered Entities violating HIPAA will get caught and will face some form of damage or penalty assessment.  Heightened awareness of UPHI breaches resulting from HITECH Act mandated breach notifications are likely to fuel new HIPAA-related complaints, charges and demands.  Covered Entities, workforce members who wrongfully access protected health information now face potential civil penalties,  criminal prosecution, civil lawsuits and other actions. Allowing state attorneys general to bring suit adds more manpower to the enforcement team.   Furthermore, the wrongful use, access or disclosure of protected health information or other confidential information also increasingly is the basis of civil or criminal actions brought under a variety of other federal and state laws.

New Risks Created By HITECH Act Amendments

Heightened HIPAA exposures stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions.  Among other things, the HITECH Act amended HIPAA to:

  • Allow a State Attorney General to sue Covered Entities that commit HIPAA violations after February 16, 2009 for damages caused to state citizens;
  • Expand the mandate by OCR to investigate violations and audit compliance with HIPAA;
  • Require OCR to impose civil sanctions against Covered Entities and business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
  • Revise the criminal sanctions that the Department of Justice can seek against Covered Entities and others for violations of HIPAA; and
  • Amend HIPAA to make clear that workforce members and others improperly using, accessing or disclosing protected health information in violation of HIPAA can face criminal prosecution.

State Attorney General Lawsuit Exposures

Covered Entities must be concerned about the potential that a state Attorney General may bring civil suit to remedy damages caused to state citizens by a breach of HIPAA.  In certain situations, the HITECH Act empowers a state attorney general to sue Covered Entities for damages if their HIPAA violations harm state citizens. Statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs are authorized.

A HIPAA civil lawsuit demonstrates the willingness of at least some states to exercise the new authority to sue Covered Entities. On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.   The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers. The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net. 

Stepped Up Federal Enforcement

Even before the HITECH Act amendments, OCR and Department of Justice increased HIPAA investigation and enforcement.  The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA.  See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health InformationMeanwhile, OCR also is emphasizing HIPAA enforcement.  In February, 2009, OCR announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges.  This announcement followed OCR’s announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges.  OCR also has taken HIPAA enforcement actions against a broad range of other Covered Entities. See more details hereWhile not resulting in the significant payments involved in CVS or Providence, all Covered Entities involved in these and other enforcement actions or investigations have incurred significant legal and other defense costs, loss of community trust, or both.

In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can expose Covered Entities, members of their workforce and others improperly using, accessing or disclosing protected health information to liability under other federal or state laws.  Federal and state prosecutors may and increasingly do bring criminal or civil actions against organizations or individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws .  See e.g., Cybercrime & Identity Theft: Health Information Security Beyond HIPAA; NY AG Cuomo Announcement of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year

State Civil Lawsuits

Covered Entities also need to prepare to defend HIPAA-related conduct in state civil actions.  Individual plaintiffs increasingly used alleged HIPAA violations in state privacy, negligence, retaliation, wrongful discharge or other lawsuits.  State courts have allowed private plaintiffs to use the obligations imposed by HIPAA as the basis of a Covered Entity’s duty for purposes of certain state law lawsuits.  In  Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim.  Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit. Meanwhile, disgruntled employees or other business partners performing services for  Covered Entities also increasingly are pointing to HIPAA as the basis for their retaliation or wrongful discharge claims. See, e.g.,  Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim. Read more here

Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for Covered Entities that  fail to properly manage their HIPAA compliance obligations and risks. To help guard against these exposures, Covered Entities should act quickly to strengthen their HIPAA defenses by updating policies, contracts, practices, security, training, oversight, documentation and management.

Covered Entities & Business Associates Urged To Act Promptly To Manage Mitigating Expanded HIPAA Risks & Obligations

Faced with these expanding obligations and exposures, Covered Entities should prepare for the need to defend the adequacy of their HIPAA compliance efforts on paper and in operation. As part of these efforts, Covered Entities should consider:

  • Reviewing the adequacy of the practices, policies and procedures of the Covered Entities, business associates, and others that may come into contact with protected health information within the scope of attorney-client privilege taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable;
  • Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility;
  • Renegotiating and enhancing service provider agreements to detail the specific compliance obligations of each party; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; to clarify rights of indemnification; and other related relevant matters;
  • Improving technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information;
  • Conducting well-documented training as necessary to ensure that members of the Covered Entity’s workforce understand and are prepared to comply with the expanded requirements of HIPAA, can detect potential breaches or other compliance concerns, and understand and are prepared to follow appropriate procedures for reporting and responding to suspected violations;
  • Tracking actual and near miss violations and making adjustments to policies, practices, training, safeguards and other compliance components as necessary to deter future concern
  • Establishing and providing well-documented monitoring of compliance;
  • Establishing and providing well-documented timely investigation and redress of reported violations or other compliance concerns;
  • Establishing contingency plans for responding in the event of a breach;
  • Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and  requirements;
  • Preparing and maintaining a well-documented record of compliance activities; and
  • Pursuing other appropriate strategies to enhance the Covered Entity’s ability to demonstrate its compliance commitment both on paper and in operation.

For Assistance With Compliance Or Other Concerns

The author of this article,  Ms. Stamer has extensive experience advising and assisting health care practitioners and other businesses and business leaders to establish, administer, investigate and defend health care fraud and other compliance and internal control policies and practices to reduce risk under federal and state health care and other laws. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact the author of this article, Cynthia Marcotte Stamer, CTT Health Care Practice Group Chair, at cstamer@cttlegal.com, 214.270.2402 or another Curran Tomko Tarski LLP attorney of your choice.  You can get more information about the CTT Health Care Practice  and more specifics about Ms. Stamer’s health industry experience here.

Ms. Stamer is nationally known for her work, training and presentations, and publications on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts. 

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 22 years experience advising clients, conducting workshops and other training, and providing policy advice about health care, privacy, data security, and other matters. She advises health care providers, health insurers and administrators, employer and other health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, ERISA, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. A widely published author on privacy, data security, health care and other related matters, Ms. Stamer is the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications.  For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.  

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2010 Cynthia Marcotte Stamer.  All rights reserved. 


Federal HEAT & Other Federal Health Care Fraud Efforts Score More Than 15 Successes As OIG Claims $20.97 Billion Saved From Enforcement Activities In December

December 30, 2009

As the interagency Medicare Fraud Strike Force targeting Medicare Fraud scored another series of more than 15 successful criminal enforcement actions across the national during December, 2009, the Department of Health & Human Services (HHS) Office of Inspector General (OIG) credited the Medicare Fraud Strike Force and other stepped up oversight and enforcement activities as helping it achieve $20.97 Billion in Medicare and other federal health care program savings during Fiscal Year 2009 in its Semiannual Report to Congress

The Detroit convictions were among three of more than 15 other criminal enforcement successes reported by the Department of Justice during December.  These and other reports document the rising prosecution and enforcement risks that health care providers face for failing to tailor their billing and other practices to comply with federal health care fraud laws.  In light of the growing enforcement and emphasis of federal prosecutors and regulations on the detection and prosecution of organizations and individuals participating in billing or other activities that violate federal health care fraud laws, health care organizations, their officers, directors, employees, consultants and other business partners should tighten practices and step up oversight to minimize the likelihood that they or their organizations will engage in activities that federal regulators view as federal health care fraud.

December 13 Detroit Criminal Convictions

The U.S. Department of Justice Criminal Division (Justice Department), Federal Bureau of Investigation (FBI) and Inspector General for the U.S. Department of Health and Human Services (HHS) jointly announced Friday (December 11, 2009) that Baskaran Thangarasan, Sandeep Aggarwal and Wayne Smith had plead guilty for their roles in connection with several Detroit-area health care fraud scheme.

On December 9, 2009, Thangarasan plead guilty to one count of conspiracy to commit health care fraud and Aggarwal plead guilty to one count of conspiracy to launder money. On December 11, 2009, Smith plead guilty to one count of conspiracy to commit health care fraud.

  • Thangarasan Guilty Plea To Conspiracy To Commit Health Care Fraud

On December 9, 2009, Thangarasan plead guilty to one count of conspiracy to commit health care fraud. And Aggarwal plead guilty to one count of conspiracy to launder money. He faces a maximum sentence of 10 years in prison and a $250,000 fine at sentencing.

According to information contained in plea documents, Thangarasan, a licensed physical therapist, admitted that he began working in approximately September 2003 as a contract therapist for a co-conspirator. This co-conspirator owned and controlled several companies operating in the Detroit area that purported to provide physical and occupational therapy services to Medicare beneficiaries. Thangarasan admitted that he, the co-conspirator and others created fictitious therapy files appearing to document physical therapy services provided to Medicare beneficiaries, when in fact no such services had been provided. According to court documents, the fictitious services reflected in the files were billed to Medicare through sham Medicare providers controlled by Thangarasan’s co-conspirators.

Thangarasan admitted that his role in creating the fictitious therapy files was to sign documents and progress notes indicating he had provided physical therapy services to particular Medicare beneficiaries, when in fact he had not. Thangarasan was paid approximately $50 by co-conspirators per file that he falsified in this manner. Thangarasan also admitted that in the course of the scheme charged in the indictment, he signed approximately 1,011 fictitious physical therapy files, falsely indicating he had provided physical therapy services to Medicare beneficiaries. Thangarasan admitted he knew that the files he helped falsify were used to justify fraudulent billings to Medicare.

In addition, Thangarasan admitted that between approximately September 2003 and May 2006, his co-conspirators submitted claims to the Medicare program totaling approximately $5,055,000 for files that were falsified by Thangarasan. Medicare actually paid approximately $2,325,000 on those claims. Thangarasan admitted that throughout the conspiracy, he was fully aware that Medicare was being billed for occupational therapy services he had falsely indicated he had performed.

  • Aggarwal Guilty Plea to Money Laundering

Aggarwal faces a maximum sentence of 20 years in prison and a $500,000 fine after admitting in the same case to assisting co-conspirator Suresh Chand in laundering the proceeds of Chand’s Medicare fraud scheme. Chand, who pleaded guilty in September 2009 to conspiracy to commit health care fraud and conspiracy to launder money, admitted to conspiring to submit approximately $18 million in fraudulent physical and occupational therapy claims to the Medicare program. Aggarwal, who admitted working at Chand’s office, acknowledged that his role in the scheme was to set up sham entities at Chand’s direction, with the purpose of using those entities to distribute the proceeds of the fraud to the various co-conspirators. According to plea documents, one such entity was called Global Health Care Management Services. Aggarwal admitted that Global Health Care Management Services, which he helped create, provided no health or management services of any type, but existed solely as a mechanism to conceal the location of fraudulently obtained Medicare proceeds. Aggarwal admitted in his plea that he and Chand laundered approximately $393,000 through this sham entity.

  • Smith Guilty Plea To Conspiracy To Commit Health Care Fraud

At sentencing, Smith face a maximum sentence of 10 years in prison and a $250,000 fine for his participation in a scheme to falsely bill Medicare.  His indictment charged that he transported and paid Medicare beneficiaries to attend Sacred Hope Center, a Southfield, Mich.-infusion clinic. According to the indictment, the Medicare beneficiaries he paid and transported were paid to sign paperwork indicating that they had received infusions and injections of specialty medications that they did not in fact receive.

According to the indictment, Sacred Hope Center routinely billed the Medicare program for services that were medically unnecessary and/or never provided. The primary owners and operators of Sacred Hope Center have pleaded guilty and admitted purchasing only a small fraction of the medications that the clinic billed the Medicare program for providing. These co-conspirators have also stated that patients were prescribed medications at the clinic based not on medical need, but instead based on which medications were likely to generate Medicare reimbursements.

Other Criminal Enforcement Actions During December

The Detroit convictions are three of nearly 20 successful criminal enforcement activities that DOJ announced during December, 2009.  During the same month, DOJ also announced:

  • On December 20, 2009, sentencing of an Audiologist to six months in prison for Medicare Fraud in California  here
  • On December 17, 2009 , the guilty plea and sentencing of a Houston physician for operating an illegal pill mill here
  • On December 16, 2009, the sentencing in Michigan of the owner of health care agency to 18 months prison in Medicare kickback scheme here
  • On December 15, 2009, the sentencing of a Lexington. South Carolina doctor to perform community service in a health care fraud case  here
  • On December 15, 2009, the guilty plea of a Plymouth, Minnesota man to defrauding Medicaid out of $74,000  here
  • On December 14, 2009, the sentencing of a Miami, Georgia man to more than a decade in Federal prison for million dollar Medicaid fraud here
  • On December 11, 2009, the charging of a durable medical equipment company and six other defendants in Pennsylvania in a Medicare Fraud And Kickback Scheme here
  • On December 11, 2009, the guilty plea of an Aulander, North Carolina woman to $650,000 Health Care Fraud  here
  • On December 7, 2009, the guilty plea of a corporation various health care fraud schemes here
  • On December 6, 2009, the guilty plea of a Dallas, Texas durable medical equipment business owner to aggravated id theft in a Medicare Fraud scheme  here
  • On December 3, 2009, the arrest of the owner of a Florida home health care provider and his alleged accomplice for a scheme to bribe a government contractor  here
  • On December 3, 2009, the conviction of two defendants for Health Care Fraud in Idaho here
  • On December 2, 2009, the entry of an order requiring a Sioux City, Iowa hospital to pay $400,000 to resolve false claims allegations  here
  • On December 1, 2009, the admission by a Maryland man to health care fraud on a hospital in the District of Columbia  here
  • On December 1, 2009, the arrest of a Miami, Florida man for obstructing a Health Care Fraud Investigation here
  • On December 1, 2009, the $125,000  fine of a Michigan chiropractor for Falsifying Records here

HEAT Operations Continued & Expanded

The Detroit and many of these other criminal successes resulted from joint investigations by the FBI and the OIG as part of the Medicare Fraud Strike Force as part of various interagency Medicare Fraud “Strike Forces” operating in several regions of the U.S. as part of the continuing Health Care Fraud Prevention and Enforcement Action Team (HEAT) operations of the FBI, HHS and the Justice Department which DOJ credits with producing more than 250 criminal convictions since their inception,  Based on initial successes of Strike Force operations in Miami (Phase One) and  Los Angeles (Phase Two), the Justice Department and HHS on May 20, 2009 expanded the scope of these operations to include Detroit and Houston Strike Force teams. Recently, DOJ and HHS announced the expansion of its HEAT operations to include Strike Force teams also targeting health care fraud in Brooklyn, New York; Tampa, Florida and Baton Rouge, Louisiana.

The heightened emphasis on enforcement of federal health care fraud laws reflected in the HEAT program the enactment of recent amendments to the False Claims Act, 31 U.S.C. § 3729 (FCA)  under the “Fraud Enforcement and Recovery Act of 2009”(FERA).  The FERA amendments increase the likelihood both that whistleblowers will turn in health care providers and other individuals and organizations that file false claims in violation of the FCA and the liability that violators may incur for that misconduct.

The FERA amendments and the HEAT Team and Strike Force activities are part of a broader emphasis in the enforcement of federal health care fraud laws by both the Administration and Congress.  President Obama’s proposed Fiscal Year 2010 budget seeks to further increase funding for fraud prevention and enforcement by investing $311 million — a 50 percent increase from 2009 funding — to strengthen program integrity activities within the Medicare and Medicaid programs.  The Obama Administration anticipates that all combined, the anti-fraud efforts in the President’s budget could save $2.7 billion over five years by improving oversight and stopping fraud in the Medicare and Medicaid programs, including the Medicare Advantage and Medicare prescription drug programs.  Many state agencies also are stepping up their health care fraud investigations and enforcement.

Health Care Providers Must Step Up Compliance & Risk Management

In light of this new emphasis upon health care fraud detection and enforcement, health care providers now more than ever need to prepare to demonstrate the appropriateness and defensibility of their health care billing and other compliance efforts.

Solutions Law Press author and Curran Tomko and Tarski LLP Health Care Practice Chair Cynthia Marcotte Stamer has extensive experience advising and assisting health care practitioners and other businesses and business leaders to establish, administer, investigate and defend health care fraud and other compliance and internal control policies and practices to reduce risk under federal and state health care and other laws. You can get more information about the CTT Health Care Practice  and more specifics about Ms. Stamer’s health industry experience here on the CTT Website.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Cynthia Marcotte Stamer, CTT Health Care Practice Group Chair, at cstamer@cttlegal.com, 214.270.2402, CTT White Collar Defense Litigation Practice Chair Edwin J. Tomko at etomko@cttlegal.com, or  214.270.1405 or another Curran Tomko Tarski LLP attorney of your choice.. 

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in other updates on HEAT activities such as the following:

Other recent updates that also may be of interested published on our electronic Solutions Law Press Health Care Update publication include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please register to receive this Solutions Law Press Health Care Update here and be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2009 Cynthia Marcotte Stamer.  All rights reserved. 


%d bloggers like this: