Stamer “Cybersecurity Jedi Skills Training” Added To 2025 Security Summit Agenda

July 24, 2025

The Information Systems Security Association (“ISSA”) – Los Angeles Chapter (“ISSA-LA”) recently confirmed that Solutions Law Press publisher and author Cynthia Marcotte Stamer will conduct “Cybersecurity Jedi Skills Training” at the 2025 Annual Security Summit 2025 ISSA-LA is hosting on September 17-18, 2025, at the Annenberg Beach House in Santa Monica, California.

Under constant threat from potentially draconian operational, financial and legal mayhem from cybercriminals’ ransomware and other cyberattacks, organizations, investors, breach victims, health care and other business partners, and federal and state regulators increasingly expect cybersecurity and other IT leaders to defend their organization’s proprietary knowledge, workforce, finance, and other mission critical data and systems cyberthreats from dark web with the skill of Jedi knights. While even the most skilled cyberwarriors can’t render their data and operating systems impenetrable against these attacks, cybersecurity professionals and their organizations should engage in constant training and preparation to protect themselves and their organizations from the fallout that commonly follows from a data or systems breach or failure.

The September 17, 2025, “Cybersecurity Jedi Skills Training” workshop that Ms. Stamer will conduct is designed to help CISOs, Directors of Information Security and other leaders strengthen their cybersecurity prevention and response strategies for enhanced defensibility. Drawing from her decades of experience advising and defending data-reliant organizations and their leaders, her workshop will:

  • Arm cybersecurity leaders with knowledge about how data, systems, and technology can either promote or undermine legal defensibility, and share basic principles and strategies for designing and using technology and data to advance legal goals and defensibility.
  • Empower cybersecurity defenders with insights into key cybersecurity, privacy, electronic data, and technology-related traps that impact defense and response strategies.
  • Highlight how cyber events and violations of computer, securities, antitrust, and other laws can expose organizations and their leaders to criminal, civil, and administrative liability.
  • Reveal key evidentiary practices and processes to use during compliance, contracting, audits, investigations, governance, incident management, and response, as well as when dealing with government or other investigations, to promote and strengthen defensibility and mitigate risks.

Ms. Stamer has developed the training from her decades of experience helping highly regulated and other performance and data-sensitive organizations and their leaders use the law, process, technology and other legal, risk management and operational tools to promote defensibility, mitigate risk, enhance operational effectiveness, and manage change and uncertainty. The founding and Managing Member of the Cynthia Marcotte Stamer, P.C. law firm, Ms. Stamer has used her extensive legal and operational knowledge to provide practical, client-centric advice, tools and solutions to help a diverse array of U.S. and multinational business, government, and community organizations, to design, manage and defend their people; compensation and benefits; technology, data privacy and security; regulatory compliance; and other operations-critical risks and performances for more than 35 years.  She is best known for her work with employer and other workforce, health, employee benefits, insurance, data and technology, financial and government organizations, and their technology and other developers and vendors, all of which bear significant data privacy and security obligations.

Longtime Scribe leading the American Bar Association (“ABA”) JCEB Annual Agency Meeting with the HHS Office of Civil Rights; incoming Intellectual Property Section Information Technology Committee  Vice Chair, and a widely published author, speaker and thought leader on cybersecurity and other data and technology use, privacy and protection, Ms. Stamer’s process-oriented work throughout her career continuously has included helping clients use and defend their data and technology practices, investigating and responding to data and technology breaches, events, threats and regulations; and dealing with insurers, federal and state legislators, regulators and investigators on cybersecurity and other data and technology concerns.  Her cutting-edge work, scholarship and thought leadership, advocacy and community service have earned her recognition as a “Top Woman Lawyer;” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; “Best Lawyer” in “Labor and employment,” “Tax: ERISA & Employee Benefits,” “Health Care,” and “Business and Commercial Law.” For additional information about Ms. Stamer or her services, see here or contact Ms. Stamer directly.

Ms. Stamer’s “Cybersecurity Jedi Skills Training” is part of two days of professional training and networking that ISSA-LA is presenting at its Annual Security Summit 2025.  Founded in 1982 by Sandra Lambert and Nancy King, ISSA-LA is the premier catalyst and community resource in Southern California for improving the practice of information security. A 501(c)(3) organization and the founding Chapter of the ISSA®, ISSA-LA provides various training classes and lectures for information Security and IT professionals throughout the year and at the annual Summit. ISSA-LA meets monthly for dinner and regularly collaborates with other IT and Cybersecurity organizations, having joint meetings and social events with the Women’s Society of Cyberjutsu, the Cloud Security Alliance, and the Association of IT Professionals, to name a few.  To register, review the schedule, information about sponsorship, or other details about the Annual Security Summit 2025 or ISSA-LA, see here.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Corporate Compliance, Cyber crime, data breach, data security, Education, Electronic Medical Records, Emergency Care, FERPA, Genetic Information, Government contractor, Health Apps, Health Care, Health Insurance, Health Plan, HIPAA, Medical Malpractice, NIST | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Network’s $600,000 Settlement Highlights Health Industry HIPAA Hacking Liability Exposures & Risk Analysis Responsibilities

April 23, 2025

Conduct an appropriate risk analysis and take the required steps to protect your electronic health records from phishing and other hacking threats by conducting a thorough risk analysis and otherwise cleaning up your Health Insurance Portability and Accountability Act of 1996 compliance!  That’s the clear message to the Department of Health and Human Services Office of Civil Rights (“OCR”) urges health care providers, health plans, health care clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) to learn from the $600,000 HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) settlement the Department of Health & Human Services Office of Civil Rights (“OCR”) announced with Southern California health care network PIH Health, Inc. (“PIH”) on April 23, 2025.

Hacking incidents present a significant cybersecurity threat to Regulated Entities’ electronic health and other data.  Phishing and other hacking attacks are among the most common types of large breaches reported to OCR every year. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR.  Between January 1 and April 23, 2025 alone, OCR received 161 hacking-related breach reports from Regulated Entities. OCR’s Breach Portal indicates that on April 23, 2025, OCR had a total of 554 open hacking-related breach investigations, 506 involving health care providers, 47 involving health plans, and one involving a health care clearinghouse.

The HIPAA Privacy, Security, and Breach Notification Rules require Regulated Entities to conduct and maintain documented risk analysis to assess their hacking and other threats to the security of their individually identifiable electronic protected health information (“ePHI”) and meet other specific standards to protect the privacy and security of protected health information against hacking and other improper access, destruction, or disclosure. As reflected in the following table of current HIPAA sanctions, violation of these HIPAA requirements exposes a Regulated Entity to significant civil monetary penalties or criminal sanctions.

HIPAA Sanctions

TierCivil Penalties[1]Criminal Penalties
1Lack of Knowledge: $141 – $71,162 per violationReasonable Cause or No Knowledge of Violation: Up to 1 year imprisonment
2Reasonable Cause: $1,424 – $71,162 per violationPHI Obtained Under False Pretenses: Up to 5 years imprisonment
3Willful Neglect (corrected within 30 days): $14,232 – $71,162 per violationPHI Obtained for Personal Gain or with Malicious Intent: Up to 10 years imprisonment
4Willful Neglect (not corrected within 30 days): $71,162 – $2,134,831 per violation 

Most Regulated Entities that OCR accused of violating the HIPAA requirements avoid paying the full amount of authorized civil monetary penalties by accepting OCR settlement offers. As the $600,000 PHI demonstrates, settlement with OCR allows Regulated Entities to avoid much greater potential civil monetary penalties by paying a much smaller, but still generally significant settlement amount.

PHI Breach and Settlement

The PHI settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020 about a June 2019 phishing attack.  The report stated the attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.

OCR’s investigation found multiple potential violations of the HIPAA Rules, including:

  • Failure to use or disclose protected health information only as permitted or required by the HIPAA Privacy Rule.
  • Failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by PIH.
  • Failure to notify affected individuals, the HHS Secretary, and the media of a breach of unsecured protected health information within 60 days of its discovery.

Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that OCR will monitor for two years and pay a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:

  • Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
  • Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
  • Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
  • Training its workforce members who have access to PHI on its HIPAA policies and procedures.

The findings of deficiencies in PIH’s risk analysis and requirements that PIH conduct an accurate and thorough risk analysis and implement a risk management plan to address and mitigate identified security risks and vulnerabilities are a recurrent theme in OCR breach investigations.   OCR’s recent addition of a Risk Analysis Initiative to its compliance and enforcement priorities heightens the significance of OCR’s inclusion of these findings and requirements in the PIH settlement.

The HIPAA Security Rule requires a Regulated Entity to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” Meanwhile, the HIPAA Breach Notification Rule requires in 45 CFR § 164.402 that a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. OCR interprets these Rules together also to require Regulated Entities experiencing a breach of ePHI or having evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach as triggering a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. Consequently, OCR constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA in its guidance and educational outreach, as well as by regularly discussing the requirement and role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

Despite OCR’s constant and ever-rising efforts to promote compliance with the Risk Analysis requirements, however, OCR consistently has found deficiencies in Regulated Entities’ Risk Analysis in its breach investigations and audit findings since these rules became effective. As the number and magnitude of reported breaches of ePHI skyrocketing and massive breaches like those experienced in 2024 by UnitedHealthcare subsidiary Change Health, Ascension and others demonstrating the serious consequences ransomware and other cyberattacks can inflict on health care delivery, payment, and patient privacy, OCR is placing new emphasis on tightening both the requirements for Risk Analysis and its enforcement of compliance with the Risk Analysis requirements.

On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. Prior to its announcement of the PIH settlement, OCR in recent months previously announced seven Risk Analysis Initiative settlements including two in April.  Although OCR’s PHI settlement announcement does not label the settlement as a Risk Analysis Initiative, OCR’s discussion makes clear OCR considered PIH’s failure to fulfill the Risk Analysis requirements a core failure contributing to the breach.

OCR Acting Director Anthony Archeval made a point of warning other Regulated Entities to ensure the adequacy of their own organizations’ Risk Analysis and other Security Rule compliance in OCR’s announcement of the PIH settlement by stating:

Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance  

With cyberattacks targeting health care and other Regulated Entities soaring and OCR stepping up its scrutiny of Regulated Entities’ Risk Analysis compliance in audits and enforcement actions, each health care provider and other Regulated Entity should review and tighten its Risk Analysis practices and documentation to reduce its susceptibility to potential breaches and to promote its ability to defend its compliance with the Risk Analysis requirements in the event of a breach investigation or audit.

Fulfill Current Risk Analysis Standards

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities enforce appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to keep Risk Analysis documentation for six years, and to provide Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

  • Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
  • Integrate Risk Analysis and risk management into the organization’s business processes.
  • Ensure that audit controls are in place to record and examine information system activity.
  • Implement regular reviews of information system activity.
  • Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
  • Incorporate lessons learned from incidents into the organization’s overall security management process.
  • Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
Follow Proposed Rules & Enforcement Actions To Mitigate Risks

The proposed rule published by OCR on December 27, 2024, seeks to clarify and expand the original requirements of the Risk Assessment implementation standard based on OCR’s past HIPAA Security and Breach Rule investigation and enforcement experience.  Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
    • A review of the technology asset inventory and network map;
    • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
    • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
    • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
    • A review of the technology asset inventory and network map.

Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:

  • To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
  • To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
  • To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
  • To implement written procedures for testing and revising written security incident response plans;
  • To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
  • To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
  • To encrypt ePHI at rest and in transit, with limited exceptions;
  • To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
  • Use of multi-factor authentication, with limited exceptions;
  • Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
  • Network segmentation;
  • Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
  • To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
  • Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
  • Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool.  OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time.  This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health care providers and other Regulated Entities should view Risk Analysis as an ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.  Although OCR has not officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Appropriate Processes Can Enhance Defensibility

With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:

  • Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
  • Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
  • Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
  • Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
  • Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
  • Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
  • Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
  • Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

Although civil monetary penalties or settlements are the most common sanction imposed for HIPAA Security and Breach Notification rule violations, willful and certain other violations of HIPAA can trigger criminal liability subject to the Federal Sentencing Guidelines. Consequently, beyond fulfilling the specific requirements of HIPAA, an adequate Risk Assessment also can be an invaluable tool for helping mitigate Federal Sentencing Guideline exposures of a Regulated Entity and its leaders under the Federal Sentencing Guidelines Organizational Liability rules.

Beyond these specific HIPAA-associated exposures, Regulated Entities and their leaders should keep in mind that HIPAA is likely only one of many laws that define their responsibilities to secure, report, and respond to breaches of ePHI or other sensitive data. Depending on the location, nature and other circumstances, Regulated Entities and their leaders also may have additional responsibilities and liability exposures under a variety of other federal and state laws, ethical or other professional standards, and contractual obligations. For instance, inadequate data safeguards for ePHI also can trigger liability under the Fair and Accurate Credit Transactions Act, the Federal Trade Commission Act, and various electronic crimes statutes. The Securities and Exchange Commission rules can trigger disclosure and other obligations for publicly traded hospital or other health care providers, insurers, or their business associates. Health care providers, payers and others are likely to face specific additional health care or insurance-specific licensing and ethics rules, as well as other confidential information privacy, cybersecurity and breach reporting obligations and liability under various state statutes and regulations. Regulated Entities and their leaders generally will want to fully evaluate and manage these risks in conjunction with their compliance with the Risk Analysis and other requirements of the HIPAA Security and Breach Notification Rules.

The author of this update, Cynthia Marcotte Stamer is nationally known and celebrated for her experience providing advice and representation to health care providers, health insurers, employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, third party administrators, human resources and health plan technology, and other businesses about HIPAA and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information Or Help

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer works with these and other highly regulated or data and performance reliant businesses to design, risk manage, and defend their employment and other workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee.

Additionally, more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

[1] The civil monetary penalty amounts are adjusted annually for inflation.  OCR has not yet published the 2025 inflation adjusted amounts. 

Leave a Comment » | Health Care | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Risk Analysis Critical For Health Care Providers & Other HIPAA-Covered Entities To Manage OCR & Other Data Breach Exposures

April 22, 2025

With the financial impact to businesses suffering data breaches in 2024 now averaging nearly $5 million and the announcement by the Department of Health and Human Services Office of Civil Rights (“OCR”) two additional Health Insurance Portability & Accountability Act (“HIPAA”) “Risk Analysis Initiative” settlements in seven days, health care providers, health plans, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) face a growing imperative to act now to promote the defensibility of their practices under the Risk Analysis and other HIPAA Privacy, Security, and Breach Notification Rule requirements. Coupled with OCR’s steady announcement of enforcement actions like those announced this month against NERAD and others under its Risk Analysis Initiative, OCR clearly is warning health care providers and other Regulated Entities to clean up and strengthen their Risk Analysis and other HIPAA Security Rule compliance.

HIPAA Risk Analysis Requirement & OCR Risk Analysis Initiative

The need for Regulated Entities to ensure their fulfillment of HIPAA’s Risk Analysis requirements to prevent and mitigate their legal, financial and operational exposures from breaches of electronic protected health information (“ePHI”) and to defend against a potential OCR Risk Analysis enforcement action or audit is demonstrated by OCR’s announcement of HIPAA Security Rule enforcement actions and settlements with Northeast Radiology, P.C. (NERAD) on April 10, 2025, and Guam Memorial Hospital Authority (“GMHA”) on April 17, 2025, the sixth and seventh under OCR’s recently announced HIPAA “Risk Analysis Initiative” .

Risk Analysis Longstanding HIPAA Requirement

The HIPAA Privacy, Security, and Breach Notification Rules require Regulated Entities to meet specific standards to protect the privacy and security of protected health information. Violation of these requirements exposes Regulated Entities to civil monetary penalties or even criminal penalties depending on the nature of the violation.

Since the HIPAA Security Rule first took effect, risk analysis is one of the four required implementation specifications Regulated Entities must meet under the Security Management Process standard in 45 CFR § 164.308.

To fulfill this Risk Analysis requirement, a Regulated Entity must conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” 

Additionally, in 45 CFR § 164.402 the HIPAA Breach Notification Rule requires a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. As consistently interpreted and applied by OCR, experiencing a breach or the existence of evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach triggers a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. As OCR Acting Director Anthony Archeval recently stated to explain OCR’s emphasis on Risk Analysis compliance and enforcement, “Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]” Consequently, OCR constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA. To promote compliance, OCR persistently has communicated the necessity and importance of the Risk Analysis in guidance and sought to reinforce the consequences of inadequate Risk Analysis by discussing the role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

OCR Raising Risk Analysis Expectations & Enforcement

Despite OCR’s constant and ever-rising efforts to promote compliance with the Risk Analysis requirements, however, OCR consistently has found deficiencies in Regulated Entities’ Risk Analysis in its breach investigations and audit findings since these rules became effective. As the number and magnitude of reported breaches of ePHI skyrocketing and massive breaches like those experienced in 2024 by UnitedHealthcare subsidiary Change Health, Ascension and others demonstrating the serious consequences ransomware and other cyberattacks can inflict on health care delivery, payment, and patient privacy, OCR is placing new emphasis on tightening both the requirements for Risk Analysis and its enforcement of compliance with the Risk Analysis requirements.

On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. With OCR’s announcement of the NERAD and GMHA enforcement actions on April 10 and April 17, respectively bringing to seven the number of Risk Analysis Initiative enforcement settlements in recent months, health care providers and other Regulated Entities should heed the schooling these and other similarly sanctioned organizations as a call to action to ensure their own Risk Analysis and other HIPAA Privacy, Security and Breach Rule compliance.

NERAD Enforcement Risk Analysis Initiative Enforcement Action & Settlement

The first of two Risk Analysis Initiative settlements announced in seven days in April and the sixth enforcement action and settlement specifically labeled as taken under the “Risk Analysis Initiative,” the NERAD enforcement action and settlement announced April 10, 2025 resolves liabilities for violation of the Risk Analysis Rule arising from OCR’s investigation of a breach of ePHI stored on NERAD’s Picture Archiving and Communication System (“PACS”) server for storing, retrieving, managing, and accessing radiology images.

OCR initiated its investigation of NERAD after receiving a NERAD breach report that between April 2019 and January 2020, unauthorized individuals accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.

To avoid potentially much greater HIPAA civil monetary penalties under the terms of the resolution agreement, NERAD paid OCR $350,000 and agreed to implement a corrective action plan that OCR will monitor for two years. Under the corrective action plan, NERAD will take steps to improve its compliance with the HIPAA Security Rule and protect the security of ePHI, including:

  • Conducting an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its Risk Analysis;
  • Developing and implementing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
  • Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
  • Augmenting its existing HIPAA and security training program to all of its workforce members who have access to PHI.

Guam Memorial Hospital Authority Risk Assessment Initiative & Ransomware Enforcement Action

Seven days after announcing the NERAD Risk Analysis enforcement action and settlement, OCR reaffirmed its commitment to enforcement of the Risk Analysis enforcement when it announced its first HIPAA settlement under the new Trump Administration with GMHA, a public hospital on the U.S. Territory, island of Guam, on April 17, 2025.

The seventh Risk Analysis Initiative enforcement action and eleventh ransomware enforcement action announced by OCR, the GMHA settlement arose from OCR’s investigation of two complaints alleging that GMHA impermissibly allowed the disclosure of ePHI of GMHA patients. OCR originally initiated its investigation in response to a January 2019 complaint alleging that GMHA experienced a ransomware attack affecting the ePHI of approximately 5,000 individuals. During the investigation, OCR received another complaint in March 2023 alleging that hackers accessed patient records. OCR’s investigation determined that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI held by GMHA.

Under the terms of the resolution agreement, GMHA paid OCR $25,000 and agreed to implement a corrective action plan that OCR will monitor for three years. In the corrective action plan, GMHA must take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

  • Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
  • Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
  • Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules;
  • Augment its existing HIPAA and security training program so all workforce members with access to PHI understand the HIPAA requirements and GMHA’s HIPAA policies and procedures;
  • Enhance workforce security and information access management by reviewing all access credentials that have been granted access to ePHI; and
  • Conduct breach risk assessments and provide evidence to OCR that all breach notification obligations have been conducted.

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance  

With cyberattacks targeting health care and other Regulated Entities soaring and OCR stepping up its scrutiny of Regulated Entities’ Risk Analysis compliance in audits and enforcement actions, each health care provider and other Regulated Entity should review and tighten its Risk Analysis practices and documentation to reduce its susceptibility to potential breaches and to promote its ability to defend its compliance with the Risk Analysis requirements in the event of a breach investigation or audit.

Fulfill Current Risk Analysis Standards

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities enforce appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to keep Risk Analysis documentation for six years, and to provide Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

  • Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
  • Integrate Risk Analysis and risk management into the organization’s business processes.
  • Ensure that audit controls are in place to record and examine information system activity.
  • Implement regular reviews of information system activity.
  • Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
  • Incorporate lessons learned from incidents into the organization’s overall security management process.
  • Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
Follow Proposed Rules & Enforcement Actions To Mitigate Risks

The proposed rule published by OCR on December 27, 2024, seeks to clarify and expand the original requirements of the Risk Assessment implementation standard based on OCR’s past HIPAA Security and Breach Rule investigation and enforcement experience.  Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
    • A review of the technology asset inventory and network map;
    • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
    • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
    • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
    • A review of the technology asset inventory and network map.

Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:

  • To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
  • To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
  • To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
  • To implement written procedures for testing and revising written security incident response plans;
  • To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
  • To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
  • To encrypt ePHI at rest and in transit, with limited exceptions;
  • To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
  • Use of multi-factor authentication, with limited exceptions;
  • Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
  • Network segmentation;
  • Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
  • To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
  • Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
  • Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool.  OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time.  This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health care providers and other Regulated Entities should view Risk Analysis as a ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.  Although OCR has not yet officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Use Appropriate Process To Audit, Update & Strengthen Risk Defensibility

With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:

  • Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
  • Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
  • Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
  • Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
  • Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
  • Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
  • Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
  • Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

Although civil monetary penalties or settlements are the most common sanction imposed for HIPAA Security and Breach Notification rule violations, willful and certain other violations of HIPAA can trigger criminal liability subject to the Federal Sentencing Guidelines. Consequently, beyond fulfilling the specific requirements of HIPAA, an adequate Risk Assessment also can be an invaluable tool for helping mitigate Federal Sentencing Guideline exposures of a Regulated Entity and its leaders under the Federal Sentencing Guidelines Organizational Liability rules.

Beyond these specific HIPAA-associated exposures, Regulated Entities and their leaders should keep in mind that HIPAA is likely only one of many laws that define their responsibilities to secure, report, and respond to breaches of ePHI or other sensitive data. Depending on the location, nature and other circumstances, Regulated Entities and their leaders also may have additional responsibilities and liability exposures under a variety of other federal and state laws, ethical or other professional standards, and contractual obligations. For instance, inadequate data safeguards for ePHI also can trigger liability under the Fair and Accurate Credit Transactions Act, the Federal Trade Commission Act, and various electronic crimes statutes. The Securities and Exchange Commission rules can trigger disclosure and other obligations for publicly traded hospital or other health care providers, insurers, or their business associates. Health care providers, payers and others are likely to face specific additional health care or insurance-specific licensing and ethics rules, as well as other confidential information privacy, cybersecurity and breach reporting obligations and liability under various state statutes and regulations. Regulated Entities and their leaders generally will want to fully evaluate and manage these risks in conjunction with their compliance with the Risk Analysis and other requirements of the HIPAA Security and Breach Notification Rules.

The author of this update, Cynthia Marcotte Stamer is nationally known and celebrated for her experience providing advice and representation to health care providers, health insurers, employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, third party administrators, human resources and health plan technology, and other businesses about HIPAA and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer works with these and other highly regulated or data and performance reliant businesses to design, risk manage, and defend their employment and other workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee.

Additionally,more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Conditions of Participation, Health Care, Health Care Provider, Health Care Quality, Health Insurance Exchange, Health IT, home health, Mental Heatlh, OCR | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

$11 Million False Claims Act Cybersecurity Settlement Reminds Health Plas HIPAA Isn’t Only Cyberbreach Exposure

March 17, 2025

The more than $11 million Health Net Federal Services Inc. (“HNFS”) and its corporate parent Centene Corporation, have agreed to pay under a settlement resolving claims that HNFS falsely certified compliance with cybersecurity requirements in a contract with the U.S. Department of Defense (“DoD”) reminds health industry organizations that Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is only one of many federal statutes under which their organizations and their leaders can incur liability for cybersecurity breaches or other deficiencies. As the HNFS settlement makes clear, for instance, HIPAA Entities and other businesses that violate conditions of participation or contractual requirements for federal program participation also risk potential significant liability for deficiency in their compliance with data security, privacy or other cybersecurity requirements of those programs.

HIPAA Important But Not Only Cyber Liability Risk For Health Industry Organizations

Most health care providers, health insurers and other health plans, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively, “HIPAA Entities”) recognize the importance of complying with the national standards for the protection of individuals’ electronic protected health information (“ePHI”) set forth in HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA” Rules”) to minimize or avoid painful civil monetary penalties or even criminal liability HIPAA authorizes for violations of HIPAA.

While the lengthy and growing list of HIPAA civil monetary penalties and resolution agreements obtained by the Department of Health and Human Services (“HHS”) Office of Civil Rights found to have violated the Security or other requirements of the HIPAA Rule shows the continued importance for HIPAA Entities to maintain HIPAA compliance, enforcement actions like the HNFS drive home that HIPAA Entities should not ignore other important cybersecurity obligations arising from the cybersecurity requirements created under terms of participation applicable to federal programs, or other applicable laws or statutes.

HNFS False Claims Act Cyber Liability Settlement

The HNFS enforcement action and settlement reveals False Claims Act liability as another significant cyber liability risk for health care providers, health care exchange insurers, Medicare Advantage, Medicaid Advantage, SCHIP, TRICARE and other military health, health technology, and other health industry organizations and their business associates and other subcontractors, who are government contractors or grant recipients.

The Justice Department previously has warned federal contractors that failing to fulfill or falsely certifying their compliance with required cybersecurity standards applicable to their contracts or programs could expose them to civil liability for violation of the False Claims Act[1] (“FCA”).  On October 6, 2021, then Deputy Attorney General Lisa O. Monaco announced a Civil Cyber-Fraud Initiative would use the FAC to hold accountable government contractors and grant recipients that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches applicable to their federal contracts or programs.

To violate the FCA, the government contractor or other accused person must have submitted, or caused the submission of, the false claim or made a false statement or record with knowledge of the falsity.  Under Section 3729(b)(1), knowledge of false information is defined as being (1) actual knowledge, (2) deliberate ignorance of the truth or falsity of the information, or (3) reckless disregard of the truth or falsity of the information.

The Department of Justice obtained more than $2.9 billion in settlements and judgments from civil cases involving fraud and false claims against the government in the fiscal year ending Sept. 30, 2024.   Under the FCA, government contractors or other persons violating the FCA generally are liable to pay the United States three times the government’s damages plus a penalty that is linked to inflation for knowingly submitting or causing another to submit a false claim to the government; making a false record or statement to get a false claim paid by the government; acting improperly to avoid having to pay money to the government; or conspiring to violate the FCA.  In addition to allowing the United States to pursue FCA violations on its own, the FCA allows private citizens to file “qui tam” suits on behalf of the government against violators of the FCA.  Private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery. Many Justice Department FCA and other fraud  investigations and lawsuits arise from such qui tam actions.

While the Justice Department’s announcement of the HNFS settlement did not expressly reference the Civil Cyber-Fraud Initiative, the action and statements made by Justice Department officials in connection with its announcement reflect that the Justice Department remains committed to using the False Claims Act to hold federal government health care and other contractors, subcontractors, and grant recipients accountable for failing to comply with applicable federal cybersecurity requirements.

Beginning in 2010, HNFS contracted with the DOD to provide managed healthcare support services for the TRICARE program in approximately 22 states. The support services included administrative support services, provider network development, referral management, enrollment support, and claims processing services. In 2016, Centene succeeded to these contractual obligations when it acquired all of the shares of Health Net Inc., HNFS’s corporate parent, and assumed the liabilities of HNFS. Consistent with applicable conditions for participation in the program, HNFS’s contract with the DOD required HNFS to comply with DOD data security and privacy requirements and to periodically certify that compliance.

The TRICARE contract required HNFS to “provide information management and information technology support as needed to accomplish the stated functional and operational requirements of the TRICARE program” and to adhere to certain privacy standards and cybersecurity requirements, including but not limited to 48 C.F.R. § 252.204-7012 and 51 security controls listed in the National Institute of
Standards and Technology Special Publication 800-53 (NIST 800-53), Security and Privacy Controls for Information Systems, Revision 4. The annual certification requirement included in the contract also required HNFS annually to certify both compliance with the standards and “that the security controls required by the contract are implemented correctly, operating as intended, and support the security policies of the Defense Health Agency.”

The settlement resolves DOD and Justice Department allegations that, between 2015 and 2018, HNFS failed to provide the cybersecurity controls required under its contract. Specifically, Justice Department charged that:

  • HNFS failed to timely scan for known vulnerabilities and remedy security flaws on its networks and systems, in accordance with its System Security Plan and response times established by HNFS;
  • HNFS ignored reports from third-party security auditors and its internal audit department of cybersecurity risks on HNFS’ networks and systems related to asset management; access controls; configuration settings; firewalls; end-of-life hardware and software in use; patch management (i.e., installing critical security updates released by vendors to counter known threats); vulnerability scanning; and password policies; and
  • HNFS falsely attested to DHA that it was in compliance with at least seven of the NIST 800-53 security controls listed in the NIST Compliance Certifications when it submitted those certifications to DHA

The Justice Department and DOD also charged HNFS with falsely certifying compliance with these controls in annual reports to DHA that were required under its contract to administer the TRICARE program.

As a result of these deficiencies, the Justice Department and Department of Defense claimed that HNFS’ claims for reimbursement under the Tricare contract were false, regardless of whether there was any exfiltration or loss of servicemember data or protected health information.

To resolve the alleged False Claims Act liability asserted by the government, HNFS and Centene Corporation agreed to pay $11,253,400 to the Department of Justice. The settlement agreement also expressly reserves the United States’ right to pursue any criminal charges arising from the conduct and limits HNFS and Centene from raising the settlement as a bar to any such criminal charges.

Statements made by Justice Department officials in its announcement of the HNFS settlement signal that the Justice Department remains committed to using the False Claims Act to hold government contractors and other recipients of federal funds accountable for failing to comply with cybersecurity requirements of their contracts.

The press release announcing the settlement quotes Acting Assistant Attorney General Brett A. Shumate, head of the Justice Department’s Civil Division as warning, “We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.”

Meanwhile, Cyber Field Office Special Agent in Charge Kenneth DeChellis of the Defense Criminal Investigative Service (DCIS), the law enforcement arm of the DoD Office of Inspector General also is quoted as stating, “DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements and risk exposing protected information vulnerable to criminal hackers. The U.S. taxpayers who fund these government contracts expect no less.”

Taken together with the HNFS enforcement action and resulting settlement, these statements provide a strong warning for health industry and other government contractors that their failure to comply with cybersecurity requirements in their federal contracts or grants could lead to prosecution under the False Claims Act in addition to otherwise applicable liabilities arising under HIPAA or other federal or state laws. Accordingly, health care organizations; Medicare, Medicaid, SCHIP, TRICARE and Federal Health Insurance Exchange program contractors; and other federal government contractors, subcontractors and grant recipients also should ensure their ability to defend their ongoing compliance with any data security, privacy or other federal cybersecurity requirements to guard against potential False Claims Act liability for noncompliance with these contractual responsibilities.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, government contractors and grant recipients, and their technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about HIPAA and other protected health information, trade secret, personal information and other cybersecurity and other data and systems use, protection, andthese and other federal and state program design, contracting, quality, technology, reimbursement, licensing and accreditation, compliance, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care, health insurance and managed care, insurance and financial services, defense contractors, and other workforce and data sensitive businesses domestically and internationally on employment, benefits, data and other knowledge use and protection, Federal Sentencing Guidelines and other workforce and heath care management, internal and operational controls, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has had extensive involvement in the design, enforcement, investigation, mitigation and defense of trade secret and other information privacy and confidentiality, HRIS, claims, electronic medical records, payment, and other systems and technologies; HIPAA and other health industry, DOD,  FACTA, GLB, EU, and other data privacy and security, trade secret and other confidential information; and other information privacy and security laws, policies, practices, contracts and requirements. 

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

Author of many highly regarded compliance, training and other resources on cybercrime and other data privacy and security, health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy in these matters.  

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on health care, leadership, governance, human resources, employee benefits, data security and privacy, insurance, and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

[1]31 U.S.C. §§ 3729 – 3733.

Leave a Comment » | CHIP, Cyber crime, data breach, data security, Department of Defense, DOD, false claims act, Government contractor, Grant recipients, Health Care, Heath Care Exchange, HHS, HIPAA Cyber Crime, Medicaid Advantage, Medicare Advantage, TRICARE | Tagged: , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

New HIPAA Settlement Warns Providers & Health Plans Against Improper Disclosure Of Reproductive Health Information & To Update Notices, Practices & Policies For New Rules

December 3, 2024

A just-announced settlement warns health care providers, health plans, healthcare clearinghouses and their business associates (“Covered Entities”) to fulfill their responsibility to ensure the privacy of patient reproductive health and other personally identifiable health care information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) HIPAA Privacy, Security, and Breach Notification Rules (the “Privacy Rules”). Covered Entities should ensure they have updated their policies, privacy notices, training and practices to comply with changes with the Privacy Rules made by the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (the “Reproductive Privacy Rule”) adopted in April.

Covered Entities Required To Update Policies To Comply With New Reproductive Privacy

The HIPAA Privacy Rule enforced by Department of Health and Human Rights Office for Civil Rights (“OCR”) establishes national standards to protect individuals’ medical records, requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization, (such as disclosures for health oversight activities or for law enforcement purposes), and gives individuals rights such as the ability to access their own medical records. 

On April 22, 2024, OCR adopted the Reproductive Privacy Rule to expand protections for reproductive health care privacy and other reproductive rights following the Supreme Court’s landmark abortion decision in Dobbs v. Jackson. The Reproductive Privacy Rule:

  • Requires Covered Entities to modify their Notice of Privacy Practices to support reproductive health care privacy;
  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities;
  • Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.

Covered Entities that have not already done so should review and update their policies, privacy notices, procedures and practices to ensure their compliance with these updated requirements.

New Holy Redeemer Reproductive Privacy Settlement

The new settlement with Pennsylvania hospital Holy Redeemer Family Medicine (“Holy Redeemer”) announced December 2, 2024, resolves charges that Holy Redeemer violated HIPAA by impermissibly disclosing reproductive health care and other PHI about a female patient. The settlement arose from a September 2023 complaint received by OCR that Holy Redeemer impermissibly disclosed surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive health care of a female patient to the patient’s prospective employer when the patient only authorized Holy Redeemer to send one specific test result unrelated to her reproductive health to that prospective employer. OCR’s investigation found that Holy Redeemer disclosed the patient’s full medical record, including information concerning her reproductive health care without the patient’s authorization for the broad disclosure of her PHI. OCR also found that the disclosure was not otherwise permitted under the Privacy Rule.   

Under the terms of the resolution agreement, Holy Redeemer paid $35,581 and agreed to implement a corrective action plan that identifies specific steps it will take to comply with the HIPAA Rules and protect patient privacy to prevent this from happening again. OCR will monitor the implementation of this corrective action plan for two years.

The Holy Redeemer Settlement demonstrates the advisability for each Covered Entity to ensure that its policies, privacy notices, training, practices and other controls for protecting the wrongful use, access or disclosure of reproductive and other sensitive health care information are up to date and defensible. The author of this update, Cynthia Marcotte Stamer has worked extensively with covered entities and business associates on these and other HIPAA and other compliance and risk management.

Along with their exposure to civil monetary penalties under HIPAA, improper sharing of reproductive health or other personal health care information also could expose health care providers to ethical or licensing discipline, malpractice invasion of privacy or other civil suits and other liabilities. While the preemption provisions of the Employee Retirement Income Security Act (“ERISA”) generally insulate employment-based insured and self-insured health plans and their fiduciaries against state law invasion of privacy and other state tort claims, employment-based health plans, their fiduciaries, insurers and administrators breaching the Privacy Rule risk liability under HIPAA as well as ERISA breach of fiduciary duty. Where ERISA preemption does not apply, insurers, brokers or other insurance industry businesses violating these rules likewise also can face licensing or other regulatory discipline as well as potential damage liability for invasion of privacy and other tort claims.

If you have questions or need advice or help evaluating or addressing your HIPAA compliance or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation.. 

Author of numerous highly regarded works on PBM and other health plan contracting and design,  Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with HIPAA and other legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. 

As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Author of many highly regarded compliance, training and other resources on HIPAA and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership on HIPAA and many other health care, health plan and other health industry matters. 

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.



Leave a Comment » | Academic medicine, business associate, Doctor, Electronic Health Records, Employee Benefits, Employment, Health Care, Health Care Provider, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, Home Health, home health, Hospice, Hospital, Hospital, Inpatient Rehabilitation, Licensing, Medical Licensure, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Mental Health, Mental Heatlh, OCR, Patient Empowerment, Patients, Physician, Physician Licensing, Privacy, Reproductive Rights, Rural Health Care | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

High Dollar Civil Monetary Penalties Warn HIPAA-Covered Heath Providers, Health Plans & Healthcare Clearinghouses To Ensure Timely Medical Record Access

August 5, 2024

The more than $560,000 in civil monetary penalties (“CMPs”) collected since March by the Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) from three HIPAA-covered entities for failing to respond to medical record requests within 30 days as required by the Health Insurance Portability & Accountability Act (“HIPAA”) right of access rule (“Access Rule”) shows patients, their personal representatives and health care providers, health plans, health care clearinghouses (“Covered Entities”) the seriousness of OCR’s commitment to enforcement of the Access Rule.

On August 2, 2024, OCR announced emergency medical provider American Medical Response (“AMR”) paid a $115,200 civil monetary penalty (“AMR CMP”) for waiting 370 days before delivering medical records requested by a patient’s personal representative.  OCR’s AMR CMP announcement follows its April 1, 2024 announcement Hackensack Meridian Health, West Caldwell Care Center (“Hackensack Meridian Health”) paid a $100,000 CMP (“HMH CMP”) for waiting 161 days to provide medical records requested by a patient’s personal representative and March 29, 2024 announcement of its agreement to accept payment of $35,000 in satisfaction the previously assessed $250,000 CMP against Phoenix Healthcare LLC d/b/a Green County Care Center (“Phoenix”) for Access Rule violations.  With these three actions, OCR collected $565,000 in CMPs for Access Rule violations since March 29, 2024, and has announced a total of 49 high-dollar Access Rule CMP or settlement collections since announcing its Access Rule enforcement initiative in 2019.

OCR’s pursuit of CMPs in excess of $100,000 against each of these three entities for failing to respond to a single request for patient records makes clear OCR’s readiness to investigate and pursue big dollar penalties against Covered Entities for even a single failure to deliver documents to a requesting patient or personal representative.  In light of OCR’s clear commitment holding all Covered Entities accountable for Access Rule compliance, all Covered Entities should recognize the importance of timely responding to each access request in accordance with the Access Rule to avoid similar CMP exposure for their organizations.

HIPAA Right Of Access Rule

HIPAA’s Privacy Rule right of access (“Access Rule”) is part of the national standards that HIPAA Privacy, Security, and Breach Notification Rules (“Privacy Rule”) require that Covered Entities and their business associates meet for protecting to protect individuals’ protected health information (“PHI”), limit uses and disclosures of PHI, and give individuals the right to timely access and to obtain a copy of their PHI records and certain other rights.  Like other Privacy Rule violations, Access Rule violations can subject a Covered Entity or business associate to expensive HIPAA civil monetary penalties (“CMPs”).

The Access Rule codified in 45 C.F.R. 164.524 generally requires that a Covered Entity to respond to a request from an individual or its personal representative to access or for a copy of protected health information (“PHI”) in any records set of a Covered Entity or its business associate within 30 days of receipt of the individual’s request.  OCR Access Rule guidance makes clear OCR views this deadline as the maximum allowed period

The Covered Entity can respond to a right of access request by granting or denying the request in whole or in part, or if it is unable to provide the records within 30 days for a legitimate reason, the Access Rule allows the Covered Entity a one-time 30-day extension of the response timeframe by sending the requestor a written statement of the reasons for the delay and the date within the extended response deadline by which the Covered Entity will complete its action on the request. 45 C.F.R. § 164.524(b)(2).

The Access Rule also contains specific guidance governing the calculation of the allowable fee, if any, the Covered Entity can charge for providing the PHI to a reasonable cost-based fee calculated following the Access Rule.  It also sets forth other requirements about the manner and format in which the Covered Entity must deliver the PHI.

OCR is responsible for implementing the Privacy Rules and enforcing non-criminal violations of its requirements.  When OCR finds violations of the Access Rule or other HIPAA violations, HIPAA as amended by the HITECH Act,1 generally authorizes OCR to impose and collect a CMP determined based on the following penalty schedule, with adjustments for inflation:

  • A minimum of $100 for each violation where the Covered Entity or business associate did not know and, by exercising reasonable diligence, would not have known that it violated the HIPAA provision, provided the total amount of CMPs imposed on the Covered Entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
  • A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the Covered Entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000.
  • A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
  • A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.3 The adjusted amounts apply only to CMPs whose violations occurred after November 2, 2015.

$115,200 AMR CMP

According to the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) August 1, 2024 announcement of the AMR CMP, AMR paid OCR the $115,200 AMR CMP after OCR assessed the CMP in a Notice of Final Determination that AMR violated the Access Rule.

The Notice of Final Determination arose from an OCR investigation of a complaint made by an attorney (“the Patient’s Attorney”) on behalf of a patient transported by AMR alleging that AMR failed to provide a patient with timely access to its medical records after many failed attempts by the patient to obtain the records.

According to the Proposed Notice of Determination, the Patient’s Attorney sent AMR a fax on the patient’s behalf on October 31. 2018 asking for copies of a patient’s medical records including, “all billing records pertaining to treatment rendered for 9/15/2015 injury date; Patient Balance Verification; all medical records pertaining to treatment rendered for 9/15/2015 injury date” in electronic format to the patient’s attorney (“access request”). The access request was in writing, signed by the Patient’s Attorney, that clearly identified the Patient’s Attorney and where to send the copy of the Patient’s Attorney’s PHI. The Patient’s Attorney received a fax transmission report reflecting that AMR received her request on October 31, 2018. Although AMR uses an electronic health record (EHR) for its medical records and maintains the Patient’s Attorney’s requested PHI in its HER, it did not respond to this request by November 30, 2018, the date 30 days from receipt.

On November 8, 2018, the Patient’s Attorney also mailed a copy of her October 31, 2018, access request to AMR’s Seattle, Washington office via certified mail and received confirmation of delivery on November 13, 2018 from the United States Postal Service. The Patient’s Attorney also subsequently sent two follow-up requests for the PHI records on January 24, 2019.

Although AMR’s electronic medical record confirmed AMR received these requests, AMR did not respond to the Patient’s Attorney’s request until March 1, 2019, 121 days after the initial request, when AMR sent the Patient’s Attorney an invoice requiring payment of an access fee before AMR would provide the requested records to Complainant.

On March 18, 2019, the Patient’s Attorney then sent AMR another follow-up letter that reiterated the Patient’s Attorney’s multiple access requests and advised AMR that if AMR did not send the PHI to the Patient’s Attorney electronically within seven days the Patient’s Attorney would file a complaint with OCR.  Since AMR failed to deliver the requested records in electronic format within the specified period, the Patient’s Attorney filed a complaint with OCR on July 29, 2019, alleging that AMR violated the Access Rule by failing to provide a copy of the patient’s PHI in response to the Patient’s Attorney’s multiple access requests.

OCR’s October, 2019 investigation found AMR repeatedly failed to timely respond to the patient’s access request even though AMR had procedures in place for processing individuals’ written access requests.

In response to OCR’s investigation, AMR sent the requested records to the Patient’s Attorney on November 5, 2019, 370 days after the Patient’s Attorney’s initial request.

In response to OCR’s investigation, AMR also amended its internal procedures to streamline and better track access requests. OCR notified AMR of the results of OCR’s investigation on August 3, 2021, and offered AMR an opportunity to resolve the matter informally.  Rather than accepting this offer, however, AMR responded to OCR through counsel on August 9, 2021, asking OCR to “reconsider its position” without providing a counteroffer or otherwise engaging in negotiations with OCR. While OCR did not disclose the terms of its proposed offer of resolution, acceptance of this offer presumably would have allowed AMR to resolve the charges for an amount less than the $115,200 CMP ultimately imposed.

OCR then sent an April 15, 2022 Letter of Opportunity (LOO) to AMR, which informed AMR that OCR’s investigation indicated that AMR violated HIPAA’s Access Rule and providing AMR with an opportunity to submit written evidence of mitigating factors and affirmative defenses to this violation as well as evidence to support a waiver of a CMP for violating the Access Rule.  OCR determined AMR’s May 16, 2022 response to the LOO did not support any affirmative defense to the charges or grounds for waiver of the CMP but weighed AMR’s LOO response alleging mitigating factors in determining the amount of the CMP.

Based on these factual findings, OCR sent AMER a Notice of Proposed Determination that announced OCR’s intent to impose the $155,200 AMR CMP for its violation of the Access Rule by failing to provide timely access to the Patient’s Attorney after receiving her lawful requests.

Finding the Reasonable Cause penalty tier applicable for purposes of determining the CMP for  AMR’s Access Rule violation from December 1, 2018, to February 28, 2019, OCR calculated the AMR CMP as follows: $39,680 CMP Calendar Year 2018 (31 days from 12/1/18-12/31/18 at $1,280 per day); plus           $75.520 CMP Calendar Year 2019 (59 days from 1/1/19 to 2//19, at $1,280 per day) = $115,200 Total CMP

While AMR argued that OCR should exercise its discretion and choose not to apply any CMPs because of “multiple mitigating factors, OCR determined AMR’s arguments factually inaccurate and not meriting change of the CMP assessment from the reasonable cause level. Accordingly, OCR refused to reduce the original $115,200 based on alleged mitigating factors. 

After AMR did not challenge the determinations of OCR in the Notice of Proposed Determination within the allowed period, OCR issued the Final Notice of Determination imposing the $115,200 AMR CMP and AMR paid that amount.

Since as early as 2016, OCR has made Access Rule enforcement a priority.  Along with its assessment of the AMR CMP, OCR’s commitment to continued Access Rule enforcement is demonstrated by the 48 other previously announced Access Rule enforcement actions through July 31, 2024. 

$100,000 Hackensack Meridian Health CMP

Before it collected the AMR CMP, on April 1, 2024, OCR already had announced its collection of a $100,000 CMP from a New Jersey skilled nursing facility for violating the Access Rule in April.

Essex Residential Care, LLC, doing business as Hackensack Meridian Health, West Caldwell Care Center (“HMH”) is a skilled nursing facility that provides long-term care and rehabilitation services.

In May 2020, OCR received a complaint alleging that HMH failed to provide a personal representative with access to his mother’s medical records even after HMH received sufficient documentation that the patient’s son who requested the records as his mother’s personal representative.

OCR found that HMH failed to respond timely to a HIPAA right of access request. In September 2023, OCR issued a Notice of Proposed Determination (“HMHPD”) seeking to impose the $100,000 civil money penalty. When HMH waived its right to a hearing and did not contest OCR’s findings, OCR finalized the Notice of Final  Determination imposing the $100,000 CMP.

The OCR investigation found that when Peter Lindsay originally requested copies of the medical records of his mother, Lois Lindsey (“mother”) from WCCC in an April 19, 2020 email, WCCC responded with an April 22, 2020 e-mail denial that requested Mr. Lindsay provide WCCC a copy of a power of attorney, medical proxy or similar document executed by the mother establishing that he was his mother’s personal representative. However, when WCCC still failed to deliver the requested medical records after Mr. Lindsey sent a copy of his mother’s power of attorney via May 23, 2020 e-mail, Mr. Lindsey complained to OCR.

After OCR notified WCCC on October 15, 2020, its investigation of the complaint, WCCC acknowledged that it failed to respond to the complainant’s request for his mother’s medical records within 30 days of receiving the complainant’s written request for the records but still did not deliver the records until December 1, 2020, 161 days after the complainant’s request.

By letter dated March 25, 2022, OCR informed WCCC its investigation found that WCCC failed to provide timely access to protected health information and offered WCCC an opportunity to settle this matter informally.  Although OCR’s letter encouraged WCCC to contact OCR no later than ten days after receipt of the letter, OCR received no response until WCCC responded via e-mail through its attorney on April 29, 2022, that WCCC disagreed with OCR’s proposed resolution, OCR received an email correspondence from the WCCC’s attorney stating WCCC’s disagreement with OCR’s proposed resolution.  OCR then responded by issuing a May 16, 2022 Letter of Opportunity (LOO) informing WCCC that OCR found preliminary indications of non-compliance and providing WCCC with an opportunity to submit written evidence of mitigating factors, affirmative defenses, or waiver factors for OCR’s consideration in determining the CMP amount.

In the June 15, 2022 response to the LOO sent by WCCC’s attorney, WCCC acknowledged receipt of both the April 19, 2020, medical record request and the power of attorney emailed on April 23, 2020.  WCCC also admitted that instead of providing Mr. Lindsay with the requested medical record, WCCC instead sent a copy of the mother’s medical records to another facility to which Ms. Lindsay was transferred. WCCC’s attorney admitted WCCC should have handled the request differently but indicated at the time of the original request, both Mr. Lindsey and his mother were parties to ongoing litigation with WCCC over non-payment for care, that WCCC also was struggling with the COVID-19 pandemic, that Mr. Lindsey filed his complaint with OCR exactly 30 days after his e-mailed request before WCCC’s response to the initial request was due and asserted several affirmative defenses it claimed excused WCCC’s failure to provide the medical documents. 

Based on the above findings of fact, OCR calculated the WCCC CMP at the reasonable cause not corrected tier for WCCC’s failure to provide the requested medical records from June 23, 2020, to December 1, 2020.

WCCC also asserted various affirmative defenses and a right of waiver to avoid or mitigate the amount of the WCCC CMP, all of which OCR found unpersuasive.

  • Regarding WCCC’s assertion that HIPAA barred imposition of a CMP in this case, as a matter of law, under the HIPAA affirmative defense for a violation not due to willful neglect and timely corrected, OCR determined that the affirmative defense did not apply as WCCC did not timely correct the violation.  
  • OCR also rejected WCCC’s assertion that imposition of a CMP under these circumstances would be arbitrary and capricious and violate the Administrative Procedure Act (the Patient’s AttorneyA). 
  • OCR likewise found rejected WCCC’s claim that OCR should waive any possible CMP because assessment of the CMP would be excessive as WCCC only failed to timely respond to a single request for records access, submitted amidine the midst of litigation with the requesting party during the COVID-19 pandemic and WCCC’s personnel mistakenly believed that an appropriate, timely response to the complainant’s medical record request had been made through the transfer of the patient to another facility.

After WCCC waived its right to challenge these OCR determinations in an administrative hearing, OCR issued the Notice of Final Determination on January 12, 2024, which OCR publicly announced  on April 1, 2024.

Phoenix CMP Settlement

OCR’s WCCC CMP announcement came only three days after OCR announced a settlement with Phoenix under which OCR accepted and collected $35,000.00 (“Settlement Amount”) from Phoenix in full satisfaction of a $250,000 CMP under a March 30, 2021 Notice of Final Determination issued against Phoenix for willful violation of the Access Rule. 

The Phoenix CMP and resulting settlement arose from OCR’s investigation of a right of access complaint filed against the Oklahoma multi-facility nursing care organization by a patient’s daughter in April 2019 that Phoenix would not provide the daughter, who serves as a personal representative, with a copy of her mother’s medical records. After Phoenix eventually sent the requested records 323 days after the request on January 30, 2020 and only after OCR attempts to get the records through technical assistance and other efforts, OCR notified Phoenix of its intention to impose a $250,000 civil money penalty (“Phoenix CMP”) against Phoenix for willful violation of the Access Rule along with violations of HIPAA’s business associate requirements. 

Rather than accede to OCR’s proposed imposition of the $250,000 Phoenix CMP, however, Phoenix chose to challenge the proposed Phoenix CMP to an administrative law judge (“ALJ”) in the Civil Remedies Division of the Departmental Appeals Board (“DAB”) of HHS. In Decision No. CR6232, the ALJ on February 16, 2023, upheld the Access Rule violations cited by OCR and OCR’s determinations that Phoenix acted with willful neglect in committing the violations, but reduced the Phoenix CMP amount from the $250,000 proposed by OCR to $75,000.

Despite the ALJ’s reduction of the Phoenix CMP, Phoenix then unsuccessfully challenged the ALJ’s determinations. On August 4, 2023, the HHS Departmental Appeals Board upheld the ALJ’s decision to uphold OCR’s determinations that Phoenix acted with willful neglect in violating the Access Rule and imposition of the reduced $75,000 CMP.

When Phoenix threatened to appeal this determination in federal court and presented evidence of “financial hardship, however, OCR agreed “as a compromise based on the unique facts and circumstances of this matter,” to accept in full satisfaction of the $75,000 CMP assessed due and owing by Phoenix under ALJ Decision affirmed by DAB Decision No. 3105 and DAB Decisions  No. CR6232 in return for Phoenix’s payment of the $35,000 Settlement Amount and Phoenix’s agreement not to further challenge OCR’s assessment and to revise its HIPAA Policies and Procedures to address the Access Rule and business associate agreement requirements, training, and other compliance.

Right Of Access Enforcement Takeaways

OCR’s pursuit of CMPs for Access Rule violations against AMR, WCCC and Phoenix, along with the 46 Access Rule settlements announced by OCR before the Phoenix Settlement makes clear OCR takes seriously and stands prepared to assess substantial CMPs against Covered Entities that violate the Access Rule.  

Like the 46 Access Rule settlements OCR previously announced, the circumstances surrounding the assessment of the AMR CMP and other Access Right Enforcement actions contain several important lessons for Covered Entities and business associates including:

  • Ensuring Covered Entities appropriately track and timely respond to access requests is critical;
  • Failing to provide timely response to even a single access request can trigger a significant CMP;
  • The existence or expectation of a lawsuit or other dispute with the patient or patient’s personal representative does not justify delay or refusal timely to provide requested medical records within 30 days;
  • While Covered Entities and business associates have a duty to verify a family member, attorney or other party requesting medical records on behalf of a patient is the personal representative, a Covered Entity is responsible for verifying this and delivering the requested medical records promptly following receipt of a request;
  • If a Covered Entity or business associate intends to charge to provide requested medical records in response to an access request, ensure that the proposed charge is calculated following the Access Rule, notification is delivered within 30 days of the original request and deliver the medical records promptly after the payment is received;
  • Providing requested medical records to another health care provider or other party does not excuse or substitute for providing the medical records to the requesting patient or personal representative;
  • A Covered Entity that fails to meet the 30-day deadline for responding to an access request should fix the problem promptly by delivering the documents as soon as possible and taking documented corrective action to prevent future noncompliance;
  • A Covered Entity or business associate that already has not responded within 30 days of receipt of an access request should not withhold delivery of the requested PHI pending the requestor’s payment of the minimal allowed charge that it could have imposed had it timely responded to the access request within 30 days; and
  • Consider carefully before declining an offer from OCR to settle through informal resolution.

Covered Entities and business associates also should keep in mind other potentially applicable legal or ethical requirements to provide medical records.  For instance, state medical licensure and ethics rules typically require physicians and other health care providers to provide copies of medical records or other materials that also qualify as protected health information under HIPAA.  Likewise, the Employee Retirement Income Security Act, state insurance rules and other federal or state laws also may require health plans and their insurers, administrators and others with timely access to medical or other records that also are protected heath information under HIPAA.  Covered Entities and business associates should ensure that all applicable deadlines are met and that any charges imposed satisfy all applicable requirements.

Covered Entities and business associates also should keep in mind that the Access Rule is only one of several areas of HIPAA enforcement prioritized by OCR that can trigger costly CMPs. Since HIPAA took effect in April 2003 through April 2024, OCR has:

  • Received and resolved 99 percent of the more than 358,975 HIPAA complaints and the more than 1,188 OCR-initiated compliance reviews;
  • Required changes in privacy practices and corrective actions in more than 30,839 cases investigated;
  • Settled or imposed a civil money penalty in 145 cases resulting in a total dollar amount of $142,663,772.00; and
  • OCR referred 2,197 to the Department of Justice (DOJ) for criminal investigation of cases involving the knowing disclosure or obtaining of protected health information in violation of HIPAA.

The compliance issues most often alleged in complaints cumulatively, in order of frequency through April, 2024 have remained consistent across the 20 years since HIPAA became effective.  They include cumulative in order of frequency:

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Lack of administrative safeguards of electronic protected health information; and
  • Use or disclosure of more than the minimum necessary protected health information.

While health care providers are the type of Covered Entity most often subjected to enforcement, OCR data confirms OCR investigations and enforcement has impacted all types of Covered Entities and business associates.  According to this data, the categories of Covered Entities OCR investigations have found to have committed violations are, in order of frequency:

  • General Hospitals;
  • Private Practices and Physicians;
  • Pharmacies;
  • Outpatient Facilities; and
  • Group Health Plans.

Additionally, while Group Health Plans as a group have the fewest compliance violations to date, OCR enforcement data confirms OCR’s investigation and enforcement of Access Rule violations against Group Health Plans, as well as that Group Health Plans and their business associates historically account for violations of the HIPAA security rules for the protection of electronic health information affecting millions of Americans. With OCR’s even further heightening its prioritization of HIPAA’s security rule oversight and enforcement in response to massive breaches of electronic protected health information systems and data that triggered widespread disruptions of care and payment systems reported by UnitedHealthcare Group’s Change Health, Ascension Health, and others, and recent OCR guidance requiring to update their Notices of Privacy Practices, all Covered Entities and their business associates should ensure seize the opportunity to re-verify the defensibility of their organization’s Access Rule, Security Rule and other HIPAA compliance.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Meeting with the HHS Office of Civil Rights on HIPAA, Cynthia Marcotte Stamer has extensive experience advising and defending health care and life sciences, health plans and insurers, their business associates about HIPAA and other privacy and data security protection, breach response and other compliance and risk management.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Immediate Past Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Immediate Past Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Past Group Chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee; and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership advising healthcare and life sciences, managed care and other insurance and employer-sponsored health benefit, technology, and other highly regulated and data dependent clients about health care and other regulatory, workforce and staffing, health and other employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending HIPAA, FACTA, GDPR, GLB, and other privacy, data security and information protection and breach; EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state compliance, investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state privacy, data breach and security, employment, employee benefits and insurance, equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | data breach, Health Care, HIPAA, PHI, ransomware | Tagged: , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

OCR Continues Prioritizing Protecting Health Info & Systems Against Ransomware & Other Hacking Threats; Plans $50M Investment To Develop Cybersecurity Tools

May 20, 2024

Responding to concerns heightened by a series of health industry cybersecurity incidents disrupting patient health care and privacy resulting from unpatched systems and devices like those recently experienced by UnitedHealthcare Group subsidiary Change Health, Ascension Healthcare and other health industry organizations, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) is making safeguarding PHI a top priority. Along with the growing series of guidance packages, enforcement, audit and other efforts, OCR and the Advanced Research Projects Agency for Health (“ARPA-H”) are investing more than $50 million to help develop tools to help hospital and clinic IT teams better protect their health information record systems and patients from ransomware and other cyberattacks.

OCR Responds To Care Disruptions From Health Industry Ransomware Attack

In September, 2021, OCR clearly warned health care providers, health plans, healthcare clearinghouses and their business associates (“covered entities”) to protect their health information systems and electronic protected health information against ransomware, hacking and similar outside threats by publishing its Fact Sheet: Ransomware and HIPAA as well as through a growing list of hacking and ransomware related resolution agreements. See e.g. HHS’ OCR Settles HIPAA Investigation with Phoenix Healthcare; HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million; HHS’ Office for Civil Rights Settles Ransomware Cyber-Attack Investigation with Doctors’ Management Services; HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations; HHS Office for Civil Rights Settles HIPAA Investigation with iHealth Solutions Regarding Disclosure of Protected Health Information on an Unsecured Server for $75,000; HHS Office for Civil Rights Settles HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful Disclosure of Protected Health Information on an Unsecured Server for $350,000; HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking; Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach.

While OCR historically waited to publicly respond to these and other massive breaches until its announcement of resolution agreements reached after years’ long investigations of these massive breaches, the massive disruptions in patient care resulting from the February, 2024, UHG Breach prompted OCR to act quickly. Just weeks after UHG first announced the February 23, 2024, ransomware attack and before receiving a breach report from UHG or Change Health, OCR announced its opening of an investigation and issued its March 13, 2024 Dear Colleague letter. See e.g., HHS Office for Civil Rights Issues Letter and Opens Investigation of Change Healthcare Cyberattack. In the March 13, 2024, Dear Colleague letter:

  • Confirmed OCR’s opening and prioritization of an investigation of Change Healthcare and UnitedHealth Group focused on whether a breach of protected health information (PHI) occurred and on the entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules because of the cyberattack’s unprecedented impact on patient care and privacy.
  • Confirmed that OCR anticipates that it eventually also will conduct secondary investigations of the HIPAA compliance of covered entities that have business associate relationships with Change Healthcare and UHG, and those organizations that are business associates to Change Healthcare and UHG.; and
  • Reminded all of these partner entities of their HIPAA obligations to have business associate agreements in place and to ensure that timely breach notification to the Department of Health and Human Services (HHS) and affected individuals occurs.

Subsequently, OCR has shared additional guidance on its expectations for covered entity response to the UHG Breach in its Change Healthcare Cybersecurity Incident Frequently Asked Questions page (“FAQ”}. Among other things, the FAQ reminds covered entities that its OCR’s ransomware guidance provides specific information on the steps covered entities and business associates should take to determine if a ransomware incident is a HIPAA breach and confirming that OCR will presume a breach of electronic protected information occurred and that a covered entity is required to provide notification unless a covered entity impacted by the breach can demonstrate its investigation proves a “…low probability that the PHI has been compromised,” based on the factors in the Breach Notification Rule.

Since UHG has indicated it may be months before its can restore its systems sufficiently to determine the identities of the individuals whose protected health information was breached and other relevant data,he FAQ also provides guidance to covered entities about options for making breach reports given the existing uncertainty of the information available from UHG currently.

These and other actions by OCR in response to the UHG breach send a strong message to all covered entities OCR’s readiness to act zealously against covered entities that fail to take appropriate steps to safeguard their health information systems and data against ransomware and other hacking.

UPGRADE Program To Fund Development of Hospital & Clinic Cybersecurity Tools

OCR and ARPA-H’s May 20, 2024 announcement of plans to invest $50 million investment in heath industry cybersecurity under the ARPA-Hs’s new Universal Patching and Remediation for Autonomous Defense (“UPGRADE”) program reflects HHS is moving to help covered entities to fulfill their HIPAA responsibilities along with vigorously investigating large ransomware and hacking related breaches at covered entities. According to the May 20, 2024 announcement, ARPA-H will solicit proposals for the development of tools to effectuate the UPGRADE program in four technical areas: creating a vulnerability mitigation software platform, developing high-fidelity digital twins of hospital equipment, auto-detecting vulnerabilities, and auto-developing custom defenses.  

HHS ARPA-H established the UPGRADE program in recognition that cyberattacks that disrupt hospital or clinic operation can impact patient care or even lead to facility closure. The establishment of the UPGRADE program recognizes that complexities of the software systems used in a given health care facility, the number and variety of internet-connected devices unique to each facility, disruptions caused by taking critical pieces of hospital infrastructure offline for updates, and other unique challenges impacting hospitals often delay development and deployment of software fixes.  These and other complexities and challenges often leave actively supported devices in hospitals and clinics vulnerable for over a year and unsupported legacy devices vulnerable far longer. 

The ARPA-H’s UPGRADE program is tasked with developing tools to reduce the effort it takes to secure hospital equipment and ensure devices are safe and functional so that health care providers can focus on patient care.  HHS anticipates that the UPGRADE platform will enable proactive evaluation of potential vulnerabilities by probing models of digital hospital environments for weaknesses in software. Once a threat is detected, a remediation (e.g., patch) can be automatically procured or developed, tested in the model environment, and deployed with minimum interruption to the devices in use in a hospital. HHS hopes the UPGRADE program will ‘speed the time from detecting a device vulnerability to safe, automated patch deployment down to a matter of days, providing confidence to hospital staff and peace of mind to the people in their care.

The UPGRADE program adds a new element to ARPA-H’s ongoing digital health care security efforts.  It Digital Health Security Initiative, DIGIHEALS, launched last summer focuses on securing individual applications and devices. ARPA-s also recently partnered with the Defense Advanced Research Projects Agency for the Artificial Intelligence Cyber Challenge, or AIxCC, a prize competition to secure open-source software used in critical infrastructure.

The UPGRADE program aims to secure whole systems and networks of medical devices to ensure solutions can be employed at scale.  Multiple awards under this solicitation are anticipated. To learn more about UPGRADE, including information about the draft solicitation, virtual Proposers’ Day registration, and how to state interest in forming an applicant team, visit the UPGRADE program page.  For more information on HHS’ Cybersecurity Performance Goals and HHS’ cybersecurity work, visit HHS Cybersecurity Gateway.

Other OCR Cybersecurity Guidance & Tools

Safeguarding protected health information is a top OCR priority.  Before announcing the UPGRADE program, OCR already has provided a growing list of resources to help entities protect their record systems and patients from cyberattacks, including:

  • OCR HIPAA Security Rule Guidance Material – This webpage provides educational materials to learn more about the HIPAA Security Rule and other sources of standards for safeguarding electronic protected health information. Materials include a Recognized Security Practices Video, Security Rule Education Paper Series, HIPAA Security Rule Guidance, OCR Cybersecurity Newsletters, and more.
  • OCR Video on How the HIPAA Security Rule Protects Against Cyber-Attacks  – This video educates the health care industry on real world cyber-attack trends from OCR breach reports and investigations and explores how implementation of HIPAA Security Rule safeguards can help detect and mitigate common cyber-attacks. Topics include OCR breach and investigation trend analysis, common attack vectors, OCR investigations of weaknesses that led to or contributed to breaches, and how Security Rule compliance can help regulated entities defend against cyber-attacks.
  • OCR HIPAA Risk Analysis Webinar – This webinar discusses the HIPAA Security Rule Risk Analysis discusses the HIPAA Security Rule requirements for conducting an accurate and thorough assessment of potential risks and vulnerabilities to electronic protect health information and reviews common risk analysis deficiencies OCR has identified in its investigations.
  • HHS Security Risk Assessment Tool – This tool is designed to assist small- to medium-sized entities in conducting an internal security risk assessment to aid in meeting the security risk analysis requirements of the HIPAA Security Rule.
  • Factsheet: Ransomware and HIPAA – This resource provides information on what is ransomware, what covered entities and business associates should do if their information systems are infected, and HIPAA breach reporting requirements.
  • Healthcare and Public Health (HPH) Cybersecurity Performance Goals – These voluntary, healthcare-specific cybersecurity performance goals can help healthcare organizations strengthen cyber preparedness, improve cyber resiliency, and protect patient health information and safety.
  • Ransomware Guidance – OCR’s ransomware guidance provides specific information on the steps covered entities and business associates should take to determine if a ransomware incident is a HIPAA breach. The HIPAA Rules define a breach as “…the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under the HIPAA Privacy Rule,  which compromises the security or privacy of the PHI.” See 45 CFR 164.402. Whether the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. 

In the face of these developments, hospitals and clinics, as well as other covered entities should timely complete documented risk assessments of their exposures and diligent, well-documented and reasoned efforts to ensure their systems are timely and appropriately implemented and updated timely to incorporate all necessary software patches and other processes needed to defend against ransomware and other hacking.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | data breach, Health Care, HIPAA, PHI, ransomware | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Review & Update Medical Record Confidentiality Policies In Response To Newly Revised Federal Substance Abuse Disorder Confidentiality Rules

February 29, 2024

Physicians, substance abuse and mental health facilities, and other health care providers providing or handling substance abuse treatment records should review and update their medical privacy and confidentiality policies to comply with revisions (Final Rule) to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”) adopted by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) on February 8, 2024. Providers subject to Part 2 should move quickly to review and update their policies and practices to comply with Part 2 and other applicable federal and state confidentiality, privacy and data security requirements avoid the potentially serious and expensive consequences that can result from violations.

Part 2 Generally

The Part 2 statute (42 U.S.C. 290dd-2) protects “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.

Like violation of HIPAA and other federal and state medical privacy and confidentiality rules, violation of Part 2 carries serious consequences, including:

  • Civil Penalties: Organizations or individuals found in violation may face fines or monetary penalties. These can vary depending on the severity of the breach and the specific circumstances.
  • Criminal Charges: In cases of intentional or willful violations, criminal charges may be filed. This could result in imprisonment or probation for the responsible parties.
  • License Revocation: Medical professionals, facilities, or organizations may have their licenses revoked or suspended if they fail to protect patient confidentiality.
  • Legal Liability: Violations can lead to lawsuits and legal claims by affected individuals. This may result in financial damages awarded to the aggrieved parties.
  • Reputation Damage: Breaches of confidentiality can harm an organization’s reputation and trust among patients, clients, and the public.

It is crucial for covered healthcare providers and programs to adhere to confidentiality regulations, as well as otherwise applicable HIPAA and other legal and ethical standards to avoid these consequences.

The requirements of Part 2 run in tandem with, and where applicable, apply in addition to the much more broadly privacy, security, data breach, and patient rights requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applicable to health care providers, health plans, health care clearinghouses and their business associates. Part 2 Part 2 directly applies to all records relating to the identity, diagnosis, prognosis, or treatment of any patient in a substance abuse program that either is federally assisted and holds itself out as providing, and provide, alcohol or drug abuse diagnosis, treatment or referral for treatment. A program is “federally assisted” if it is:

  • Any entity that receives federal funding
  • Certified by Medicare
  • Registered to distribute controlled substances
  • A tax exempt non-profit.

Since most physicians and many other treatment providers register with the Drug Enforcement Agency (DEA) to distribute controlled substances, this includes most prescribers. Providers that do not directly fall within the scope of the rule also need to confirm that their state licensure or other rules do not require their compliance with the Part 2 rules.

While the restrictions and requirements for covered health care providers of Part 2 and HIPAA both can affect the hoops that employers may have to negotiate to access applicants’ and employees’ substance abuse treatment records, neither Part 2 or HIPAA applies to employers to implement and administer Drug Free Workplace Act or other workplace-related substance abuse policies. However, the Americans with Disabilities Act (ADA) of 1990, the Civil Rights Act of 1964, the Family and Medical Leave Act (FMLA) of 1993, the National Labor Relations Act (NRLA) of 1935, state common law or statutory privacy, confidentiality, employment and other laws, and a variety of other federal and state laws may restrict employer use and access to, and require employers to protect the confidentiality of drug testing and other substance use and abuse screening, treatment and other substance abuse related records. Consequently, while employers are not directly subject to Part 2 and HIPAA, they nevertheless need to ensure compliance with other applicable requirements, particularly since violations of these employer rules tend also to carry potentially substantial liability.

New Part 2 Revisions

The revisions will bring the Part 2 program privacy and confidentiality requirements into closer alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules, as well as require enhanced coordination among providers treating patients for substance abuse disorders (SUDs), and enhance integration of behavioral health information with other medical records in response to provisions of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). that, among other things, required HHS to bring the Part 2 program into closer alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules.

Among other things, the Final Rule makes the following modifications to Part 2:

  • Allows a single patient consent for all future uses and disclosures for treatment, payment, and health care operations.
  • Allows HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with the HIPAA regulations.1
  • Aligns Part 2 penalties with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.2
  • Applies the same requirements of the HIPAA Breach Notification Rule3 to breaches of records under Part 2.
  • Aligns Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.
  • Creates a limit on civil or criminal liability for investigative agencies that act with reasonable diligence to determine whether a provider is subject to Part 2 before making a demand for records in the course of an investigation. The safe harbor requires investigative agencies to take certain steps in the event they discover they received Part 2 records without having first obtained the requisite court order.
  • Clarifies and strengthens the reasonable diligence steps that investigative agencies must follow to be eligible for the safe harbor: before requesting records, an investigative agency must look for a provider in SAMHSA’s online treatment facility locator and check a provider’s Patient Notice or HIPAA Notice of Privacy Practices to determine whether the provider is subject to Part2.
  • Adds an express statement that segregating or segmenting Part 2 records is not required.
  • Adds a right to file a complaint directly with the Secretary for an alleged violation of Part 2. Patients may also concurrently file a complaint with the Part 2 program.
  • Creates a new definition for an SUD clinician’s notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient’s SUD treatment and medical record and that require specific consent from an individual and cannot be used or disclosed based on a broad TPO consent. This is analogous to protections in HIPAA for psychotherapy notes.4
  • Prohibits combining patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.
  • Creates a new right for patients to opt out of receiving fundraising communications.
  • Permits disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified according to the standards established in the HIPAA Privacy Rule.
  • Restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
  • Requires a separate patient consent for the use and disclosure of SUD counseling notes.
  • Requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent.

Given the concurrent applicability of Part 2 and HIPAA and the Part 2 revisions’ incorporation of HIPAA standards and requirements, providers subject to Part 2 should confirm the compliance of their policies and practices with both the specific requirements of Part 2 and HIPAA generally. When evaluating compliance, covered entities should keep in mind that along with the Part 2 changes, OCR’s applicable regulatory and enforcement HIPAA guidance also has undergone significant change in recent months. The review and update will need to validate compliance with current requirements of both Part 2 and HIPAA, as well as all otherwise applicable federal and state laws and ethical standards. Verifying compliance is particularly important because the Biden Administration has made expansion and enforcement of federal rules protecting access to treatment and safeguarding the confidentiality of mental health and substance abuse treatment records a top priority. In light of this emphasis, all health care providers should act promptly to review and update their policies with these Part 2 changes.as well as other HIPAA and related federal and state changes.

For More Informational

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Hospital System Pays $4.75 Million HIPAA Breach Settlement

February 8, 2024

The $4.75 million settlement payment New York based Montefiore Medical Center is paying to settle charges by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Health Insurance Portability and Accountability Act (HIPAA) that multiple breaches of HIPAA’s Security Rule allowed a former employee to steal and sell more than 12,000 patients’ electronic personal health care information (EPHI) warns other health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) to ensure their HIPAA compliance efforts incorporate adequate safeguards to protect their organizations’ EPHI against insider theft or other misuse as well as against external actors.

HIPAA Requirement To Protect Protected Health Information

The HIPAA Privacy, Security, and Breach Notification Rules require health care providers, health plans and insurers and others take steps to protect the privacy and security of patients’ protected health information. The HIPAA Security Rule requires Covered Entities to protect electronic protected health information and other protected health information against use, access, disclosure or destruction by third parties except under the conditions allowed by HIPAA.  These requirements include the requirements of the Security Rule to conduct and document comprehensive security assessments of risks to sensitive data systems, to implement and enforce detailed security safeguards to protect EPHI and the systems containing that data against these threats, to train and enforce compliance with these safeguards, and other requirements.  Meanwhile, the HIPAA Breach Notification Rule requires Covered Entities to report most breaches of unsecured EPHI to individuals whose data is affected, OCR, and in the case of breaches of EPHI affecting more than 500 individuals, to the media. 

Despite these Rules and the expanded audit and enforcement efforts by OCR, cybersecurity threats and breaches continue to present significant threats to the privacy and security of protected health information possessed by Covered Entities. OCR’s breach reports reflect that EPHI breaches affecting more than 500 individuals (large breaches) remain common. These breach reports reveal that more than 134 million individuals were affected by large breaches in 2023, compared to the not insignificant 55 million individuals affected in 2022. In response to this continuing threat, HHS released a Department-wide Cybersecurity strategy for the health care sector in December of 2023, and released voluntary performance goals to enhance cybersecurity across the health sector just last week. The enforcement action and settlement with Montefiore Medical Center is the latest of the growing list of investigations and resulting high dollar settlements obtained by OCR in its efforts to enhance the security of EPHI through enforcement of the Security Rule.

Montefiore Medical Center $4.75 Million Settlement

The $4.75 million monetary settlement agreement and corrective action plan resolves Montefiore Medical Center’s exposure to potentially much greater penalties that OCR could impose for multiple Security Rule violations OCR reports finding while investigating a Montefiore Medical Center data breach report of the theft and sale of personal health information by an employee.

Montefiore Medical Center learned of the data theft while investigating a report from the New York Police Department of evidence of theft of a specific patient’s medical information in 2015. The internal investigation revealed two years previously a Montefiore Medical Center employee stole the electronic records containing patient’s name, address, SSN, next of kin, and health insurance information, of 12,517 patients from its electronic medical record system and then sold patient information to an identity theft ring. OCR learned of the breach when Montefiore Medical Center filed the breach report about the theft with OCR to comply with the HIPAA Breach Notification Rule.

In accordance with its policy of investigating all breach reports involving the personal health information of more than 500 individuals (a large breach), OCR conducted an investigation of the breach reported in the Montefiore Medical Center breach notification report. According to OCR, that investigation revealed the breach and theft of the Montefiore patients’ EPHI was made possible by multiple potential violations of the HIPAA Security Rule, including failures by Montefiore Medical Center:

  • To analyze and identify potential risks and vulnerabilities to protected health information,
  • To monitor and safeguard its health information systems’ activity, and
  • To implement policies and procedures that record and examine activity in information systems containing or using protected health information.

OCR concluded without these safeguards in place, Montefiore Medical Center was unable to prevent the cyberattack or even detect the attack had happened until years later.

Under the terms of the settlement, Montefiore Medical Center will pay $4,750,000 to OCR and implement a corrective action plan that identifies certain steps toward protecting and securing the security of protected health information. These actions include:

  • Conducting an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information;
  • Developing a written risk management plan to address and mitigate security risks and vulnerabilities identified in the Risk Analysis;
  • Developing a plan to implement hardware, software, and/or other procedural mechanisms that record and examine activity in all information systems that contain or use electronic protected health information;
  • Reviewing and revising, if necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules;
  • Providing training to its workforce on HIPAA policies and procedures; and
  • Submit to monitoring of its compliance by OCR for two years.

Covered Entities Urged To Protect EPHI From Internal & External Security Threats

The Montefiore breach illustrates both how cyber criminals and thieves frequently target EPHI held by Covered Entities for criminal purposes and reminds Covered Entities that these breaches often are committed or facilitated by employees or other insiders of their own or a business associate’s organization. The $4,750,000 settlement paid by Montefiore Medical Center demonstrates the significant financial consequences that a Covered Entity is likely to incur if it experiences a breach as a result of its failure to adequately comply with HIPAA Security Rules from both external and internal threats.

To mitigate these risks, Covered Entities must be prepared to demonstrate their efforts to implement safeguards to mitigate or prevent cyber threats in accordance with the HIPAA Security Rule. In conducting these activities, Covered Entities should heed the clear warning from the Montefiore Medical Center breach and settlement that the Security Rule requires the protection of EPHI from a broad range of ever-evolving internal and external threats. While theft by a malicious insider definitely is one of these risks, cyberthreat and breach experiences within the health care and other industries as well as OCR’s enforcement, investigation and other guidance demonstrate that Covered Entities must be vigilant to monitor and manage a multitude of ever-changing risks. Covered Entities and their leaders must be prepared to demonstrate the adequacy of their ongoing efforts to identify and manage these risks in compliance with the Security Rule.

As part of these efforts, OCR recommends that Covered Entities HIPAA Security and other cybersecurity defenses include, but not be limited to:

  • Reviewing all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident reporting obligations.
  • Integrating risk analysis and risk management into business processes; and ensuring that they are conducted regularly, especially when new technologies and business operations are planned. Ensuring audit controls are in place to record and examine information system activity.
  • Implementing regular review of information system activity.
  • Utilizing multi-factor authentication to ensure only authorized users are accessing protected health information.
  • Encrypting protected health information to guard against unauthorized access.
  • Incorporating lessons learned from previous incidents into the overall security management process.
  • Providing training specific to organization and job responsibilities and on regular basis; and reinforcing workforce members’ critical role in protecting privacy and security.

Additionally, HIPAA entities and their leaders also should take steps to understand and fully address all other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by HIPAA. For example, health care providers, health plans and their fiduciaries, brokers, administrators and insurers also may bear responsibilities under the Employee Retirement Income Security Act fiduciary responsibility rules, the Fair and Accurate Credit Transactions Act, federal and state electronic crimes and privacy laws. Publicly traded organizations and their leaders may face responsibilities and liability under new Securities and Exchange Commission regulations. The Employee Benefit Security Administration considers managing cybersecurity risks a part of the fiduciary obligations of fiduciaries of employment-based health plans. Meanwhile, health care providers, insurance organizations and brokers, third party administrators, government contractors, attorneys and other advisors and others also may be subject to medical confidentiality and other data privacy and security obligations under federal and state electronic crimes, identity theft, ethics, professional licensure, contractual, common law privacy and other statutory and common laws.

While it commonly is necessary or advisable to involve consulting or other technical support in the conduct of these activities, HIPAA entities should keep in mind the likelihood that their analysis and review is likely to uncover and prompt discussion of potentially legally or politically sensitive information. For this reason, HIPAA entities and their leaders generally will want to engage experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.

In planning for an implementing these procedures, Covered Entities also are reminded that the effectiveness of these efforts requires that the Covered Entities incorporate appropriate processes and policies for monitoring and investigating compliance with the policies and procedures implemented to comply with HIPAA. Conducting this monitoring and investigation by necessity is likely to involve surveillance, investigation and cooperation of employees, contractors, vendors and others for which Fair Credit Reporting Act background check notification and consent and other procedures are necessary or advisable. 

Finally, HIPAA entities should keep in mind that HIPAA and other cybersecurity compliance and risk management is an ongoing process requiring constant awareness and diligence.  Consequently, HIPAA entities should both monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, Health Care, HIPAA, HIPAA Cyber Crime | Tagged: , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

1st Phishing-Related HIPAA Settlement Sends Other HIPAA Entities Phishing Warning

December 8, 2023

A resolution agreement with a Louisiana medical group announced December 7, 2023, that resolves the first charges arising from a phishing attack under the Health Insurance Portability and Accountability Act (“HIPAA”) warns other health care providers, health plans, health care clearinghouses (“Covered Entities”) and their business associates (collectively, “HIPAA Entities”) to ensure the adequacy of their risk analysis, safeguards, training and other processes for guarding electronic protected health information (“ePHI”) against phishing or other impermissible access.

According to the Department of Health and Human Services Office of Civil Rights (“OCR”) announcement of the landmark settlement, the charges against LaFourche Medical Group (“LaFourche”), a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing, resulted from OCR’s investigation into a successful phishing attack on March 30, 2021 that allowed identity thieves to access an email account that contained ePHI of approximately 34,862 individuals.  

HIPAA Entities Duty To Guard EPHI Against Phishing

The HIPAA Privacy Rule and Security Rule require health care providers, heath plans, health care clearinghouses (“Covered Entities”) and their businesses associates (collectively “HIPAA Entities”) to protect EPHI and other protected health information against use, access, disclosure or destruction by third parties except under the conditions allowed by HIPAA.  These requirements include the requirements of the Security Rule to conduct and document comprehensive security assessments of risks to sensitive data systems, to implement and enforce detailed security safeguards to protect EPHI and the systems containing that data against these threats, to train and enforce compliance with these safeguards, and other requirements.  Meanwhile, the HIPAA Breach Notification Rule requires Covered Entities to report most breaches of unsecured EPHI to individuals whose data is affected, OCR, and in the case of breaches of EPHI affecting more than 500 individuals, to the media. 

Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source. See OCR Quarter 1 2022 Cybersecurity Newsletter; OCR February 2018 Phishing Cybersecurity Newsletter.

OCR guidance confirms OCR views defending ePHI against phishing as a key part of compliance with these HIPAA requirements.  See, e.g. OCR Quarter 1 2022 Cybersecurity Newsletter; Defending Against Common Cyber-Attacks; AI-Augmented Phishing and the Threat to the Health Sector; HHS 405d Health Industry Cybersecurity Practices on Email Phishing Attacks; Videos on “How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks” in English and Spanish. OCR February 2018 Phishing Cybersecurity Newsletter.  

OCR data confirms the number of breaches of unsecured ePHI reported to the OCR affecting 500 or more individuals (“large breaches”) due to hacking or IT incidents increased 45% from 2019 to 2020,  and hacking or IT incidents accounted for 66% of all large breaches reported to OCR in 2020. U.S. Department of Health and Human Services Breach Portal.  In keeping with this trend, large breaches affected more than 55 million individuals in 2022 and more than 89 million individuals in 2023.  OCR reports phishing played a key role in many of these breaches and contributed to many other breaches currently under OCR investigation.  See U.S. Department of Health and Human Services Breach Portal; OCR Quarter 1 2022 Cybersecurity Newsletter

The widespread availability and use of artificial intelligence technology has only made phishing attempts more effective, especially since those tools are freely available to the public. AI-Augmented Phishing and the Threat to the Health Sector

The 2021 HIMSS Healthcare Cybersecurity Survey reveals phishing is the most common attack impacting healthcare organizations, comprising almost half of all attacks. Data shows hackers frequently use phishing against the health sector because it often leads to data breaches that allow attackers to access large quantities of lucrative stolen health data. AI-Augmented Phishing and the Threat to the Health Sector.

LaFourche Phishing Breach

The OCR investigation of LaFourche arose from a May 28, 2021 data breach report LaFourche filed reporting a March 30, 2021 breach. According to the breach report, LAFOURCHE  learned on March 30, 2021, that an unauthorized individual obtained access to one of its owners’ email accounts through a phishing attack. LAFOURCHE  determined that the email account contained patients’ EPHI. According to the report, on March 30, 2021, LAFOURCHE  learned that an unauthorized individual obtained access to one of its owners’ email accounts through a phishing attack. LAFOURCHE  determined that the email account contained patients’ protected health information (PHI). As LAFOURCHE  was unable to identify the specific patients affected, LAFOURCHE  notified all of its patients – approximately 34,862 individuals of the incident. As LAFOURCHE  was unable to identify the specific patients affected, LAFOURCHE  notified all of its patients – approximately 34,862 individuals – of the incident.

OCR’s investigation opened in January, 2022 in response to the breach report revealed found that before LAFOURCHE  made the breach report LAFOURCHE  never conducted a Security Rule risk analysis and had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks. 

To resolve OCR HIPAA charges arising from the breach, LaFourche agreed to pay $480,000 to OCR and to implement and follow a corrective action plan that includes the following requirements:

  • Establishing and implementing security measures to reduce security risks and vulnerabilities to electronic protect health information in order to keep patients’ protected health information secure;
  • Developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA Rules; and
  • Providing training to all staff members with access to patients’ protected health information on HIPAA policies and procedures.

OCR will monitor for two years. LaFourche’s adherence with the compliance plan for two years.

While the $480,000 that LaFourche is a significant amount for a medical practice to pay, agreeing and adhering to the requirements of the settlement agreement and its incorporated corrective action plan allows LaFourche to avoids becoming subject to significantly greater civil monetary penalties authorized by HIPAA for breaches of its Privacy, Security and Breach Notification Rules.  Under the terms of the resolution agreement, however, HHS can still pursue civil monetary penalties against LaFourche for the violations if OCR finds LaFourche failed to comply with any of the requirements of its corrective action plan or otherwise violates HIPAA.

LaFourche Experience Warns Other HIPAA Entities To Tighten Phishing Defenses

The LaFourche resolution agreement serves as a warning to other HIPAA entities.  OCR’s announcement of the settlement quotes OCR Director Melanie Fontes Rainer as stating, “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”

Based on the LaFourche resolution agreement and other guidance, HIPAA entities should heed this warning by ensuring their organization is prepared to demonstrate to OCR in the event of an OCR audit or breach investigation by among other things, establishing appropriate governance with C-level oversight of compliance efforts; conducting documented periodic systemic risk assessments addressing phishing and other threats;  actions taken to implement appropriate safeguards and monitor their effectiveness; appropriate workforce training and enforcement of policies and procedures; timely investigation and response to known or suspected breaches; timely breach reporting and mitigation; and other compliance with the Security Rule.

With regard to phishing, the Office of Information Security Whitepaper on AI-Augmented Phishing and the Threat to the Health Sector provides specific tips for successful prevention of phishing attacks including but not limited to:

  • Ensuring proper email server configuration or integrating a spam gateway or other appropriate additional platform into the information infrastructure, such as a spam gateway filter, to help filter unwanted e-mails;
  • Multi-factor authentication (MFA) requirements to protect against stolen credentials, which can be the initial purpose of a phishing attack;
  • Up-to-date malware and other security software to detect malware as it is being executed onto the system;
  • Conducting periodic end-user awareness training on detection of phishing e-mails and interacting with all e-mail with healthy skepticism including specific training on comment formats and tricks including those generated using AI tools;
  • Systematically using appropriately updated and robust processes for monitoring and detecting suspicious activities/indicators on an ongoing basis.

HIPAA entities also should keep in mind that phishing is only one of a multitude of compliance and enforcement risks highlighted by OCR’s recent enforcement and guidance. Along with reviewing and updating their phishing defenses, HIPAA entities also should review and update other processes as needed to manage these exposures.

Additionally, HIPAA entities and their leaders also should take steps to understand and fully address all other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by HIPAA. For example, health care providers, health plans and their fiduciaries, brokers, administrators and insurers also may bear responsibilities under the Employee Retirement Income Security Act fiduciary responsibility rules, the Fair and Accurate Credit Transactions Act, federal and state electronic crimes and privacy laws. Publicly traded organizations and their leaders may face responsibilities and liability under new Securities and Exchange Commission regulations. The Employee Benefit Security Administration considers managing cybersecurity risks a part of the fiduciary obligations of fiduciaries of employment-based health plans. Meanwhile, health care providers, insurance organizations and brokers, third party administrators, government contractors, attorneys and other advisors and others also may be subject to medical confidentiality and other data privacy and security obligations under federal and state electronic crimes, identity theft, ethics, professional licensure, contractual, common law privacy and other statutory and common laws.

While it commonly is necessary or advisable to involve consulting or other technical support in the conduct of these activities, HIPAA entities should keep in mind the likelihood that their analysis and review is likely to uncover and prompt discussion of potentially legally or politically sensitive information. For this reason, HIPAA entities and their leaders generally will want to engage experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.

Finally, HIPAA entities should keep in mind that HIPAA and other cybersecurity compliance and risk management is an ongoing process requiring constant awareness and diligence.  Consequently, HIPAA entities should both monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer