HITECH Act |

Banner Health Pays $1.25 Million To Settle Cybersecurity Breach Impacting Nearly 3 Million Individuals

February 3, 2023

Phoenix-based nonprofit health system Banner Health and its affiliates (“Banner Health”) paid $1.25 million and agreed to take corrective actions to resolve its exposure to potentially much greater Health Insurance Portability and Accountability Act (HIPAA) Security Rule civil monetary penalty exposure for a 2016 cyber hacking breach that compromised the personal health information of 2.81 million consumers. OCR used its February 2 announcement of the Banner Health settlement to warn health care providers, health plans, health care clearinghouses (“covered entities”) and business associates covered by HIPAA to guard their own systems containing protected health information against breach by cyber hacking.

Banner Health Settlement

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona and one of the largest in northern Colorado.

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions. The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

The potential violations OCR identified specifically included:

A lack of an analysis to determine risks and vulnerabilities of electronic protected health information across the organization;
Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack;
Failure to implement an authentication process to safeguard its electronic protected health information; and
Failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.

Under the Resolution Agreement and Corrective Action Plan negotiated to resolve these potential violations, Banner Health paid $1,250,000 to OCR. Banner Health also agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Under the corrective action plan, Banner has agreed to take the following steps:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

OCR Warns Other HIPAA-Covered Entities

In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. OCR’s announcement of the settlement reports 74 percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents.

The announcement also notes OCR offers an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules,

The settlement and OCR’s announcement warn other covered entities and business associates to use these and other necessary resources to protect their systems with protected health information from cyber hacking and other breaches.

In conjunction with reminding other covered entities of these resources, the settlement announcement quotes OCR Director Melanie Fontes Rainer as a warning, “Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals, … It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. … Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

OCR’s enforcement record confirms these are not idyl threats. Breaches of the Security or Breach Notification Rules often result in significant civil monetary penalty assessments or negotiated settlements to mitigate civil liability exposures arising out of such breaches. See e.g., Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches(October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020).

Alerts issued by OCR regarding heightened security risks in recent months and a growing tide of highly publicized breaches send a strong warning to other covered entities and their business associates to reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections by among other things:

Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near-miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board-level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because of susceptibilities in systems, software and other vendors of business associates, suppliers and other third parties, covered entities and their business associates should use care to assess and manage business associate and other vendor-associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Beyond these HIPAA exposures, breaches and other HIPAA noncompliance carries other liability risks. Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders. For instance, the Department of Health & Human Services has warned health care providers participating in Medicare or other federal programs and Medicare Advantage health plans that HIPAA compliance is a program term of participation.

Health care providers and health insurers can face liability under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.

Health plans also face a myriad of other exposures from failing to use appropriate cyber safeguards. Plan fiduciaries of employment-based health plans covered by the Employee Retirement Income Security Act (“ERISA”) risk liability under ERISA’s fiduciary responsibility rules. The Department of Labor Employee Benefit Security Administration (“EBSA”) now audits the adequacy of the cybersecurity and other HIPAA compliance of health plans and their third-party administrators and other business associates as part of EBSA’s oversight and enforcement of ERISA. Department of Labor Assistant Secretary for EBSA Lisa Gomez confirmed audit and enforcement of cybersecurity obligations is a key priority in EBSA’s current work plan in her February 4, 2023 comments to the American Bar Association.

Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other public companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations.

Furthermore, appropriate cyber security practices also may be advisable elements for organizations to include in their Federal Sentencing Guideline Compliance Programs to mitigate potential organization liability risks under federal electronic crime and related laws.

In the face of these risks and warnings, all covered entities and their business associates should reassess and confirm the adequacy of their and their business associates’ cyber security defenses and breach response preparations.

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely-known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Leave a Comment » | Cyber crime, data breach, data security, DME, Doctor, Employer, ERISA, Federal Sentencing Guidelines, Health Care Finance, Health Care Provider, Health Insurance, Health IT, Health Plan, Health Plans, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, home health, Hospice, Hospital, hospitals, Licensing, Meaningful Use, Medicaid, Medicaid Advantage, Medical Licensure, Medical Malpractice, Medical Privacy, Medical Records, Medicare, Medicare Advantage, OCR, Peer Review, Physician Licensing, retaliation, Technology, Telemedicine, Whistleblower | Tagged: ARRA, Breach Notification, CMS, Compliance, Corporate Compliance, Data Breach, Data Security, Doctor, DOJ, EHR, Electronic Health Records, Employer, false claims act, Federal Sentencing Guidelines, Health Care, Health Care Compliance, Health Care Fraud, Health Care Provider, Health Care Reimbursement, Health Insurance, Health IT, Health Plan, Health Plans, HHS, HIPAA, HIPAA Privacy, HITECH Act, Hospital, Hospitals, licensure, Medicaid, Medical Privacy, Medicare, OCR, Office of Civil Rights, OIG, PHI, Physician, Physicians, Privacy, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

OCR Dental Practices Settlements Warn Providers To Honor HIPAA Access Rights

September 20, 2022

Today’s U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announcement of resolution agreements with three separate dental practices warns all health care providers, health plans and health care clearinghouses of the importance of complying with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s patient right of access and other federal and state mandates about providing patients and health plan members access to their records.

The following three resolution agreements OCR announced September 20, 2022 underscore the importance and necessity of compliance with the right of access and other HIPAA requirements:

Chicago-based Family Dental Care, P.C. (“FDC”), paid $30,000.00 to resolve potential OCR charges aiding from OCR’s investigation located in Chicago, Illinois. OCR received a complaint on August 8, 2020, alleging that FDC failed to provide a former patient with timely access to her complete medical records. The former patient requested her entire medical records in May 2020, but received only portions. The former patient filed a complaint with OCR, and during OCR’s investigation, FDC provided her with the remainder of her records in October 2020. Thus, FDC did not provide a complete copy of the records until more than five months after the request was made. OCR’s investigation determined that FDC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. FDC agreed to pay $30,000 and implement a corrective action plan.

Georgia based dental and orthodontics provider Great Expressions Dental Center of Georgia, P.C. (“GEDC-GA”) paid $80,000 to resolve concerns arising from OCR’s investigation of a November 2020 complaint alleging that GEDC-GA would not provide an individual with copies of her medical records because she would not pay GEDC-GA’s $170 copying fee. The individual first requested her records in November 2019, but did not receive them until February 2021, over a year later. OCR’s investigation determined that GEDC-GA’s failure to provide timely access to the requested medical records, and its practice of assessing copying fees that were not reasonable and cost-based, were potential violations of the HIPAA right of access provision. GEDC-GA agreed to pay $80,000 and implement a corrective action plan.

Las Vegas, Nevada dental practice B. Steven L. Hardy, D.D.S., LTD, doing business as Paradise Family Dental (“Paradise”) paid $25,000 to resolve potential violations uncovered after OCR investigated an October 26, 2020 complaint alleging that Paradise had failed to provide a mother with copies of her and her minor child’s protected health information. The mother submitted multiple record requests between April 11, 2020, and December 4, 2020, but Paradise did not send the records until December 31, 2020, more than eight months after her initial request. OCR’s investigation determined that Paradise’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. Paradise agreed to pay $25,000 and implement a corrective action plan.

The three newly announced resolution agreements bring to 41 the number of resolution agreements OCR has announced since announcing its program targeting access right violations. OCR call Rosov call Riedel access violations are the most common of all reported HIPAA violations.

OCR made clear its announcements of these resolution agreements to “send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law,” said OCR Director Melanie Fontes Rainer. “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.”

Health care providers as well as health plans should heed thus strong warning by ensuring their compliance with the HIPAA right of access as well as other applicable rules about providing patient and plan members copies of records or other data. for healthcare providers, you can please but are not limited to State medical records, ethics, and other rules and regulations. Or health plan, the HIPAA Records access rules are in addition to the Employee Retirement Invome Security Act mandates to provide plan records when requested.

If circumstances come to light that indicate a breach of the access or any other HIPAA standards, Covered Entities also promptly should work with legal counsel timely to investigate, determine and provide any required notifications or other corrective action and document their actions to meet applicable HIPAA and other legal obligations and mitigate liability.

Of course, all HIPAA-covered entities and their leaders always must keep in mind that their responsibilities and potential liability for mishandling protected health information could extend well beyond HIPAA. In addition to the civil monetary penalties HIPAA authorizes, mishandling the collection, protection or disposal of PHI or other sensitive data also can trigger other legal exposures. For instance, as HIPAA compliance is part of the Conditions of Participation that Medicare participating Covered Entities and Medicare Advantage Plans must meet to qualify for program participation, noncompliance could trigger program exclusion, False Claims Act or related exposures. Deficiencies in security or destruction of credit card, banking or other PHI that also qualifies as personal financial information could trigger exposure under Federal Trade Commission, state identity theft and privacy or other laws. Public companies and their leaders also may need to evaluate if deficiencies in their security or destruction protocols trigger investor disclosure obligations under Securities and Exchange Commission rules or other federal or state laws. Considering these and other exposures, documented, compliance and defensibility of PHI and other sensitive information use, protection, disclosure and destruction should rank high among the priorities of all Covered Entities and their leaders.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Leave a Comment » | dental, Health Care | Tagged: Compliance, DME, Electronic Health Records, Federal Sentencing Guidelines, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, Health Policy, HIPAA, HIPAA Privacy, HITECH Act, Home Care, Hospital, Hospitals, Medicaid, Medical Licensure, Medical Practice, Medicare, OCR, ONC, pain management, PBMs, Pharma, pharmacist, pharmacy, PHI, physical therapy, Physician, Physicians, Privacy, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

Medical Clinic HIPAA Resolution Agreement Shows Need For Current Business Associate Agreements

April 24, 2017

Health care providers, health plans, health care clearinghouses and business associates must get and keep their business associate (BA) agreements (BAAs) in place, up- to-date, and readily available for inspection in accordance with the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule, 45 C.F.R. Part 160 and Subparts A and E of Part 164 (Privacy Rule). That’s the clear message physician practices and other health care providers, health plans, health care clearinghouses (“covered entities”) and their business associates should learn about Privacy Rule compliance from an April 17, 2017 HIPAA Resolution Agreement just announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) with the Center for Children’s Digestive Health (CCDH).

While the Resolution Agreement relates to breaches of the BAA requirements of a small pediatric practice, the Center for Children’s Digestive Health (CCDH), all health plans, health care providers and other covered entities and business associates should focus on the adequacy of their BAAs and their BAA recordkeeping. HIPAA compliance surveys reflect deficiencies with the BAA rules are common throughout the industry. These findings and the involvement of BAs in data breaches or other OCR enforcement activities suggest a high probability that many other covered entities and business associates may be sitting ducks for similar sanctions. See e.g., HIPAA Compliance Survey Churns Up Many Business Associate Problems (January 3, 2017).

The HIPAA Business Associate Agreement Requirements

OCR’s announcement of the CCDH Resolution Agreement is the latest in a growing series of HIPAA enforcement actions showing the growing risk covered entities and their business associates face for failing to take appropriate steps to comply with the BAA and other Privacy Rule requirements of HIPAA.

As compliance audits and surveys of covered entities and business associates suggest a high level of noncompliance with the business associate agreement requirements among covered entities and business associates, While the ever-growing list of Resolution Agreements and Civil Monetary Penalties announced by OCR cover a variety of categories of HIPAA violations, the CCDH Resolution Agreement highlights the importance of covered entities and their business associates ensuring that before the BA creates, accesses, receives, discloses, retains or destroys any PHI for the covered entity, a BAA meeting the Privacy Rule requirements is signed and retained for at least the six year period the Privacy Rule requires in a manner easily producible when and if OCR or another agency asks for a copy as part of an investigation or other compliance audit. See Privacy Rule §§ 164.502(e), 164.504(e), 164.532(d) and (e).

The Privacy Rule requires that covered entities and business associates enter into a written and signed business associate agreement that contains the elements specified in Privacy Rule § 164.504(e) before the business associate creates, uses, accesses or discloses PHI of the covered entity. Meanwhile, the Privacy Rule recordkeeping requirements require that covered entities and BAs maintain copies of these BAAs for a minimum of six years.

Violations of the Privacy Rule can carry stiff civil or even criminal penalties Pursuant to amendments to HIPAA enacted as part of the HITECH Act, civil penalties typically do not apply to violations punished under the criminal penalty rules of HIPAA set forth in Social Security Act , 42 U.S.C § 1320d-6 (Section 1177).

Under Section 1177, the criminal enforcement provisions of HIPAA authorize the Justice Department to prosecute a person who knowingly in violation of the Privacy Rule (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, punishable by the following criminal sanctions and penalties:

A fine of up to $50,000, imprisoned not more than 1 year, or both;
If the offense is committed under false pretenses, a fine of up to $100,000, imprisonment of not more than 5 years, or both; and
If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of up to $250,000, imprisoned not more than 10 years, or both.

In contrast, as amended by the HITECH Act, the civil enforcement provisions of HIPAA empower OCR to impose Civil Monetary Penalties on both covered entities and BAs for violations of any of the requirements of the Privacy or Security Rules. The penalty ranges for civil violations depends upon the circumstances associated with the violations and are subject to upward adjustment for inflation. As most recently adjusted here effective September 6, 2016, the following currently are the progressively increasing Civil Monetary Penalty tiers:

A minimum penalty of $100 and a maximum penalty of $50,000 per violation, for violations which the CE or BA “did not know, and by exercising reasonable diligence would not have known” about using “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances;”
A minimum penalty of $1,000 and a maximum penalty of $50,000 per violation, for violations for “reasonable cause” which do not rise to the level of “willful neglect” where “reasonable cause” means the “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the violated Privacy Rule requirement;”
A minimum penalty of $10,000 and a maximum penalty of $50,000 per violation, for violations attributed to “willful neglect,” defined as “the conscious, intentional failure or reckless indifference to the obligation to comply” with the requirement or prohibition; and
A minimum penalty of $50,000 and a maximum penalty of $1.5 million per violation, for violations attributed to “willful neglect” not remedied within 30 days of the date that the covered entity or BA knew or should have known of the violation.

For continuing violations such as failing to implement a required BAA, OCR can treat each day of noncompliance as a separate violation. However, sanctions under each of these tiers generally are subject to a maximum penalty of $1,500,000 for violations of identical requirements or prohibitions during a calendar year. For violations such as the failure to implement and maintain a required BAA where more than one covered entity bears responsibility for the violation, OCR an impose Civil Monetary Penalties against each culpable party. OCR considers a variety of mitigating and aggravating facts and circumstances when arriving at the amount of the penalty within each of these applicable tiers to impose.

While criminal enforcement of HIPAA remains relatively rare, a review of the OCR enforcement record in recent years makes clear that civil enforcement of HIPAA and the sanctions imposed is growing. See e.g., $400K HIPAA Settlement Shows Need To Conduct Timely & Appropriate Risk Assessments; $5.5M Memorial HIPAA Resolution Agreement Shows Need To Audit. For more examples, also see here.

CCDH Sanctions For Violation Of HIPAA Business Associate Agreement Rules

The CCDH Resolution Agreement arises from violations of this requirement that OCR says it discovered as a result of a compliance review conducted in response to an OCR investigation of a CCDH business associate, FileFax, Inc. According to OCR, OCR found from the compliance review of CCDH triggered by OCR’s investigation of FileFax that while CCDH began disclosing PHI to Filefax in 2003 and that Filefax stored records containing protected health information (PHI) for CCDH, neither CCDH nor Filefax could produce a signed Business Associate Agreement (BAA) covering their relationship for any period before October 12, 2015.

Based on the resulting investigation, OCR concluded:

CCDH failed to obtain a BAA providing written assurances from Filefax that it would appropriately safeguard the PHI in Filefax’s possession or control satisfactory assurances as required by Privacy Rule §164.502(e); and
Because CCDH failed to secure the required BAA, it violated the Privacy Rule by impermissibly disclosing the PHI of at least 10,728 individuals to Filefax when CCDH transferred the PHI to Filefax without obtaining the requisite BAA from Filefax (Covered Conduct).

In the Resolution Agreement, CCDH agrees to pay HHS $31,000.00 (Resolution Amount) and enter into and comply with a Corrective Action Plan (CAP) in return for OCR’s release of CCDH from liability for “any actions it may have against CCDH under the HIPAA Rules” for the Covered Conduct. The Resolution Agreement only settles the civil monetary penalty and other OCR enforcement liabilities of CCDH with respect to the Covered Conduct. Its provisions expressly state the Resolution Agreement does not affect any exposures of CCDH to CCDH to OCR civil monetary penalties or other enforcement for any HIPAA violations other than the Covered Conduct.

Perhaps even more noteworthy given the HITECH Act’s provisions coordinating the civil and criminal sanctions of HIPAA, while the Resolution Agreement provides no clear indication that the Justice Department might be considering criminally prosecuting CCDH or any other party in relation to the Covered Conduct, the Resolution Agreement also expressly states that its provisions do not affect CCDH’s potential exposure, if any, to criminal prosecution by the Justice Department for a criminal violation of the Privacy Rules under Section 1177 of the Social Security Act.

Implications For Covered Entities & Business Associates

Covered entities and their business associates should heed the CCDH Resolution Agreement as a strong message from OCR to ensure their organizations are complying with HIPAA’s BAA and other requirements. The Resolution Agreement makes clear that the starting point of this compliance effort must be obtaining and maintaining the requisite BAAs for each BA relationship.

To position their organizations to withstand potential investigation by OCR, covered entities and BAs should start by conducting a well-documented audit within the scope of attorney-client privilege both to verify that an appropriate, signed BAA is in place for each BA relationship as well as adequacy of processes for identifying business associate relationships, ensuring that signed BAAs are in effect before BAs access any PHI, and for investigating, reporting and resolving any breaches of the HIPAA Privacy or Security Rules that may arise in the course of operations.

Conducting this audit as soon as possible is particularly important in light of reported findings of widespread compliance concerns. See HIPAA Compliance Survey Churns Up Many Business Associate Problems (January 3, 2017). As the audit process could identify potential violations or other legally sensitive concerns, covered entities and business associates generally will want to arrange for this audit and evaluation to be conducted under the supervision of legal counsel experienced with HIPAA within or pursuant to processes structured with the assistance of legal counsel within the scope of attorney-client privilege.

Beyond confirming all necessary BAAs are in place, covered entities and business associates also generally will want to evaluate the adequacy of BAs’ processes and procedures for maintaining compliance with the Privacy and Security Rules as well as processes and procedures for responding to audits, investigations and complaints, reporting and addressing breaches of electronic and other PHI and other possible compliance concerns under HIPAA and other related laws. In many instances, parties may n wish to revise and strengthen existing BAAs to more specifically define these policies and procedures more specifically as well as indemnification, cyber or other liability coverage requirements and other contractual provisions for allocating potential costs and liabilities arising from breaches, audits, investigations and other expenses associated with the administration of these provisions.

About The Author

Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 29 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.

Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to manage and defend compliance, public policy, regulatory, staffing and other operations and risk management concerns. A core focus of this work includes work to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; dealings with JCHO and other accreditation and quality organizations; investigation and defense of private litigation and other federal and state health care industry investigations and enforcement; insurance or other liability management and allocation; process and product development; managed care, physician and other staffing, business associate and other contracting; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

In the course of this work, Ms. Stamer has accumulated extensive experience helping health industry clients manage workforce, medical staff, vendors and suppliers, medical billing, reimbursement, claims and other provider-payer relations, business partners, and their recruitment, performance, discipline, compliance, safety, compensation, benefits, and training, board, medical staff and other governance; compliance and internal controls; strategic planning, process and quality improvement; change management; assess, deter, investigate and address staffing, quality, compliance and other performance; meaningful use, EMR, HIPAA and other data security and breach and other health IT and data; crisis preparedness and response; internal, government and third-party reporting, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.

Author of leading works on HIPAA and other privacy and data security works and the scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with OCR, her experience includes extensive compliance, risk management and data breach and other crisis event investigation, response and remediation under HIPAA and other laws.

The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has worked closely with a diverse range of physicians, hospitals and healthcare systems, DME, Pharma, clinics, health care providers, managed care, insurance and other health care payers, quality assurance, credentialing, technical, research, public and private social and community organizations, and other health industry organizations and their management deal with governance; credentialing, patient relations and care; staffing, peer review, human resources and workforce performance management; outsourcing; internal controls and regulatory compliance; billing and reimbursement; physician, employment, vendor, managed care, government and other contracting; business transactions; grants; tax-exemption and not-for-profit; licensure and accreditation; vendor selection and management; privacy and data security; training; risk and change management; regulatory affairs and public policy and other concerns.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar, insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns.

In connection with this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.

Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved. For information about republication or other use, please contact Ms. Stamer here.

Leave a Comment » | Corporate Compliance, data breach, data security, DME, Doctor, drug treatment, E-Prescribing, Electronic Health Records, Federal Sentencing Guidelines, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Privacy, Medical Records, Mental Health, Pharmaceudical, Pharmacy, Psychiatric, Technology, Telemedicine, Uncategorized | Tagged: business associate, clinic, confidentiality, Health Care Provider, Health Plan, HIPAA, HITECH Act, Medical Privacy, Physician, Privacy, Privacy Rule | Permalink
Posted by Cynthia Marcotte Stamer

McGraw Appointed New OCR Deputy Director

June 17, 2015

Manatt, Phelps & Phillips, LLP, Privacy and Data Security practice co-chair Deven McGraw has been tapped to serve as the new Department of Health & Human Services Office of Civil Rights Deputy Director for Health Information Privacy.

McGraw, who also previously served as the Director of the Health Privacy Project at the Center for Democracy & Technology, as the Chief Operating Officer at the National Partnership for Women & Families, and served as Chair of the federal Health IT Policy Committee Privacy and Security Workgroup.

According to OCR’s announcement of her appointment, McGraw will spearhead OCR’s policy, enforcement, and outreach efforts on the HIPAA Privacy, Security, and Breach Notification Rules; as well as lead OCR’s work on Presidential and Departmental priorities on health privacy and security. She is scheduled to join OCR on June 29, 2015.

More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 27 years of experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Among others, Ms. Stamer recently chaired the Third Annual Health Care Privacy & Security Forum hosted in conjunction with the 7th Annual Southern California ISSA-HIMSS Privacy & Security Summit and has served on the steering committee for the Summit and spoken for the past four years. She also has provided HIPAA and other privacy and data security risk management and compliance training for the Association of state & Territorial Health Plans, a host of health care organizations, health plans, school districts and other academic medicine and other educational institutions, health plans, medical societies and staffs and others. She has been interviewed by national and local media about privacy and other issues arising in connection with the 2014 Ebola outbreak in Dallas and a wide range of other health care and other compliance, risk management and public policy concerns and her insights on these and other concerns frequently are published or quoted the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here. You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Uncategorized | Tagged: Data Breach, HIPAA, HITECH Act, OCR, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Director of Texas Office of e-Health Coodination To Discuss Texas HIE Strategy in 3/14 HHS Sponsored Teleconference

March 14, 2012

On Wednesday, March 14, 2012 at 1 p.m. EDT, National eHealth Collaborative’s NeHC University will host Stephen Palmer, Director of the Office of e-Health Coordination at the Texas Health and Human Services Commission, to describe the HIE strategy being pursued by the state of Texas. Palmer will be joined by Kem McClelland of the Integrated Care Collaboration, Tony Gilman of the Texas Health Services Authority, and Bryan White of the North Texas Accountable Healthcare Partnership to showcase the Texas strategy in action and detail the progress that has been made on the ground.

To participate register and join NeHC University’s Spotlight on the Texas Statewide HIE Strategy.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

If you found this information of interest, you also may be interested in the following recent updates on health care, health plan and employee benefits, human resources and other risk management and compliance matters. Recent examples on health care compliance and risk management matters include:

For additional resources and publications training materials by Ms. Stamer, see here.

[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

Leave a Comment » | Academic medicine, ARRA, Disease Management, DME, Doctor, Durable Medical Equipment, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Indian Health, Meaningful Use, Mental Heatlh, Pharmacy, Physician, Privacy | Tagged: Breach Notification, business associate, Health Care, Health Plan, HIPAA, HITECH Act, OCR | Permalink
Posted by Cynthia Marcotte Stamer

$1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report

March 13, 2012

Resolution Agreement Also 1^st Announced With Health Plan

Health care providers, health plans and other covered entities beware and prepare! Reporting a large breach under the HITECH Act breach notification rules will trigger a Department of Health & Human Services (HHS) Office of Civil Rights (OCR) investigation into whether OCR should impose civil monetary penalties against the reporting covered entity under the Privacy and Security Rules of the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay OCR $1,500,000 and to take certain other actions specified in a corrective action plan to avoid civil monetary penalties for charges of HIPAA violations. The BCBST Resolution Agreement is particularly significant, both as:

The first reported enforcement action directly resulting from the filing by a covered entity of a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule; and
The first reported resolution agreement reached with a covered entity that is a health plan.

These notable enforcement firsts show the HITECH Breach Notification Rule’s significance as an OCR HIPAA enforcement tool, the heightened exposure to an OCR opening a HIPAA civil monetary penalty (CMP) investigation following a report, as well as the willingness of OCR to sanction health plans as well as other covered entities that breach HIPAA’s Privacy or Security Rules.

BCBST Investigation Began In Response to HITECH Act Breach Notification Rule Report

The OCR investigation that lead to the BCBST settlement began in response to BCBST making a report required under the Breach Notification Rule of the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee, which contained the protected health information (PHI) of over 1 million individuals. Read more details here.

The Breach Notification Rule enacted as part of amendments to HIPAA under the HITECH Act requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media as well as an annual consolidated report of smaller breaches to HHS.[1] Along with the Breach Notification Rules, the HITECH Act also increased the civil monetary penalties (CMPs) that covered entities like BCBST can incur for HIPAA violations. When it imposed its first ever CMP last year, OCR imposed a $4.3 million CMP against Cignet Health of Prince George’s County, Md. (Cignet).

In an apparent effort to impose a potentially larger CMP assessment arising from the investigation of its breach report, BCBST greed to pay $1,500,000 and adopt other corrective actions detailed in a corrective action plan.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The BCBST Resolution Agreements, like the Cignet CMP and other high dollar Resolution Agreements OCR has announced against various health care providers highlight the significance of the HITECH Act amendments to HIPAA’s enforcement and CMP rules, as well as the significance of its Breach Notification Rule as a tool in OCR’s investigation and enforcement efforts.

“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”

The BCBST Resolution Agreement provides yet another reminder to covered entities and their business associates of the need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. Fortips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For more tips, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

You can get more information about her HIPAA and other experience here.

Other Recent Updates & Resources

For additional resources and publications training materials by Ms. Stamer, see here.

[*] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

ONC Releases Proposed Rules For Meaningful Use Stage 2

February 23, 2012

The Office of the National Coordinator for Health Information Technology (ONC) published its Notice of Proposed Rulemaking for Stage 2 Meaningful Use (Proposed Rule) in the Federal Register today (February 23).

The Proposed Rule available here outlines the next stage of meaningful use for the Electronic Health Record (EHR) Incentive Programs administered by CMS.

CMS has developed a fact sheet to give providers an overview of the rule and how Stage 2 expands upon Stage 1 of meaningful use. The fact sheet can be found here.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related technology, risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers, health care technology and other health industry clients to set up and administer privacy and technology; workforce and staffing; operations; compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Academic medicine, Affordable Care Act, ASC, Corporate Compliance, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, FDA, Federal Health Center, Grants, Health Care, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, HIPAA, HITECH Act, Home Health, Hospital, Hospital, Licensing, Meaningful Use, Medicaid, Medicare Fee Schedule, OCR, OIG, Outcomes Data, Physician, Physician Licensing, Public Policy, Reimbursement, Rural Health Care, Substance Abuse | Tagged: EMR, Health Care, health care IT, health care technology, HIPAA, HITECH Act, Hospitals, Meaningful Use, Physicians, Privacy, Technology | Permalink
Posted by Cynthia Marcotte Stamer

ONC Touts Research On Health IT Benefits In Health Affairs Article

March 20, 2011

Researchers from the Office of the National Coordinator for Health Information Technology (ONC) and other Department of Health & Human Services (HHS) leaders are touting new studies they say show the benefits of investing in health information technology (health IT).

Under the Health Information Technology for Economic and Clinical Health Act (HITECH), part of the American Recovery and Reinvestment Act of 2009, as much as $27 billion Medicare and Medicaid incentive payments will be available to eligible professionals, eligible hospitals, and critical access hospitals when they adopt certified EHR technology and successfully demonstrate “meaningful use” of the technology in ways that improve quality, safety, and effectiveness of patient-centered care.

On March 8, 2011, ONC researches reported results of a comprehensive review of recent studies it says show the effects of health IT on key aspects of health care on the ONC website and in Health Affairs.

According to Donald Berwick, M.D., administrator of the Centers for Medicare & Medicaid Services, the study supports the investments that the HITECH Act makes in health IT. “These new findings are very significant in helping to confirm that our Nation has made the right choice in moving aggressively toward adoption of health information technology,” said Dr. Berwick. “These new findings are very significant in helping to confirm that our Nation has made the right choice in moving aggressively toward adoption of health information technology.”

The review included articles published from July 2007 up to February 2010, following up on earlier reviews of articles from 1995 to 2004 and from 2004 to 2007. This latest review initially surveyed more than 4,000 peer-reviewed articles, of which 154 were found qualified for the parameters of the study, a number similar to the previous efforts. In addition to quality and efficiency of care, the authors categorized additional outcomes including access to care, preventive care, care process, patient safety, and provider or patient satisfaction.

According to the authors, a current review of 154 peer-reviewed studies from July 2007 to February 2010 found:

More than 92 percent reached positive overall conclusions on the effects of health IT;
30 percent found mixed but predominantly positive results; and
Ten articles were found to have negative or mixed-negative results.

ONC reports that the review also reflected a new balance of evidence between HIT “leader” organizations and other entities, especially smaller medical practices. In previous years, much evidence has come from the “leaders.” The current review shows increased evidence of benefits for others as well.

Examples of positive results highlighted by ONC in its reports include:

One study found that at three New York City dialysis centers, patient mortality decreased by as much as 48 percent while nurse staffing decreased by 25 percent in the three years following implementation of electronic health records (EHRs).
In an inpatient study, a clinical decision support tool designed to decrease unnecessary red blood cell transfusions reduced both transfusions and costs, with no increase in patient length-of-stay or mortality.
Another study addressing HIT in 41 Texas hospitals found that hospitals with more advanced HIT had fewer complications, lower mortality and lower costs than hospitals with less advanced HIT.

ONC researchers report that negative findings in the study were most often associated with provider or staff satisfaction related to difficulties in the process of transitioning from paper-based to electronic-based records and care. The researchers conclude these findings “highlight the need for studies that document the challenging aspects of implementing HIT more specifically and how these challenges might be addressed,” such as through strong leadership or staff participation when adopting and implementing HIT.

Reflecting on the findings, Surgeon General Regina Benjamin, M.D., said, “My own personal experience in switching my practice from paper to EHRs showed that the change requires some initial effort; however, it did not interrupt work flow in the clinic. The results are better care for patients and new opportunities for the physician and staff to improve quality outcomes.” Dr. Benjamin switched to EHRs in her Gulf Coast Alabama family practice after two hurricanes and a fire destroyed the clinic’s paper records.

At the Agency for Healthcare Research and Quality, where research into health informatics has been supported since 1968, agency Director Carolyn Clancy, M.D., called attention to the importance of rapid information feedback and current evidence as the Nation pursues HIT implementation. “As we have known, and this new review of the available literature shows, HIT holds tremendous potential to improve health care quality. It is important that we continue to use experience from the field and scientific evidence to guide our efforts to improve the quality and safety of health care for all Americans.”

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns/ She also regularly designs and presents risk management, compliance and other training for health care providers, professional associations and others including highly popular programs on “Sex Drugs & Rock ‘N Role: Managing Personal Misconduct in Health Care,” “Managing Physician Performance” and others.. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Leave a Comment » | DME, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, Federal Health Center, Health Care, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, Health Plan, Health Plans, HITECH Act, Hospital, Hospital, Laws, Meaningful Use, Medicaid, Medicare, Medicare Advantage, Physician, Public Policy, Reimbursement | Tagged: EHR, Electronic Health Records, Electronic Medical Records, EMR, Health Care, Health IT, Health Technology, Heatlh Care Reform, HITECH Act, ONC | Permalink
Posted by Cynthia Marcotte Stamer

HHS to Host Regional 11/18 Meeting in LA as Part of HITECH Act Psychotherapy Notes &Testing Data Study

October 19, 2010

The Substance Abuse and Mental Health Services Administration (SAMHSA) in cooperation with the Office for Civil Rights (OCR) is conducting a Confidentiality and Privacy Issues Related to Psychological Testing Data study pursuant to section 13424 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a component of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5) to assess whether the HIPAA Privacy Rule’s special protections relating to the use and disclosure of psychotherapy notes should also be applied to “test data that is related to direct responses, scores, items, forms, protocols, manuals or other materials that are part of a mental health evaluation.”

As part of this study, SAMHSA is hosting public meetings to bring together professionals in the areas of mental health and privacy protection to discuss current practices and the policy implications surrounding this very important issue. The next regional public meeting will be held at the Sheraton Los Angeles Gateway Hotel in Los Angeles, California on November 18, 2010. The details of this meeting, as well as the project staff contact information, are contained in the embedded brochure below.

You can register for this meeting directly: here , or via the same announcement on OCR’s website here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

We hope that this information is useful to you. If you need assistance evaluating or responding to the Health Care Reform Law or health care compliance, risk management, transactional, operational, reimbursement, or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872, cstamer@Solutionslawyer.net.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

Leave a Comment » | Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health IT, Health Plan, HIPAA, HITECH Act, Hospital, Hospital | Tagged: HIPAA, HITECH Act, Medical Confidentiality, Psychotheraphy Notes | Permalink
Posted by Cynthia Marcotte Stamer

CMS & ONC To Co-Host 7/22 ONC Certification & Medicare/Medicaid EHR Incentive Program Audio Training

July 20, 2010

The Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) will co-host an Audio Training on the Final Rules for ONC Certification and Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs on July 22, 2010 from 2:00-3:30 pm EST.

During the training, the Agencies plan to discuss:

Benefits of HIT
Summary of the final rules
ONC temporary certification process
ONC initial set of standards and implementation specifications
Medicare and Medicaid EHR Incentives Programs including the initial definition of meaningful Use

To join the audio training, dial 1-877-251-0301 and enter the Conference ID pass code: 87841621

Materials will be made available prior to the training at the following web address here.

For more information about CMS EMR incentives, see here.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers, health plans and insurers, and other health and insurance industry clients with HIPAA, EMR and other privacy and data security, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. Ms. Stamer also regularly conducts training on these and other health industry technology, compliance, management and operations matters. You can get more information about her health industry experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

For More Information

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. A popular lecturer and widely published author on health industry and human resources matters, Ms. Stamer continuously advises health industry clients about health industry and other related concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

Leave a Comment » | Affordable Care Act, ARRA, Doctor, E-Prescribing, Electronic Health Records, Genetic Information, GINA, Health Care, Health Care Provider, Health Care Reform, Health IT, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Meaningful Use, Medicaid, Medicare, Medicare Advantage, OCR, Privacy, Technology, Telemedicine | Tagged: Data Security, EHR, Electronic Health Records, EMR, Health Information Technology, Health IT, Hi-TECH Act, HIPAA, HITECH Act, IT, ONC, ONC Certification, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

DEA/DOJ Release Interim Final E-Prescribing Rules

March 25, 2010

Health care providers wishing to electronically prescribe controlled substance should begin reviewing and updating their practices and technology to comply with requirements of the Interim Final Regulations scheduled for publication in the Federal Register on March 31, 2010. Read details at http://wp.me/ptOGJ-94

An advance copy of the new Interim Final Regulation with Request for Comments released March 24, 2010 by the Drug Enforcement Administration (DEA) and Department of Justice on Electronic Prescribing of Controlled Substance on is posted for review here.

Concurrent with publication of the Interim Final Rule, the DEA is inviting comment on DEA is seeking additional comments on the following issues: identity proofing, access control, authentication, biometric subsystems and testing of those subsystems, internal audit trails for electronic prescription applications, and third-party auditors and certification organizations.

About The Author

If you need assistance with health industry human resources or other management, concerns, wish to inquire about compliance, risk management or training, or need legal representation on other matters please contact Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or (469) 767-8872.

Nationally and internationally recognized for more than 22 years of work with health industry technology, privacy and data security, regulatory compliance, reimbursement, workforce and staffing, licensure and accreditation, and other quality, risk management, operations and public policy matters organizations, publications, workshops and presentations and leadership Cynthia Marcotte Stamer has worked extensively with physicians, health systems, specialty and other pharmacy, telemedicine and other health technology, and other health industry clients on a diverse range of operational, product and process development, regulatory, licensure, public policy and risk management protections relating to e-prescribing, telemedicine, interoperable and other electronic health and medicine arrangements and other health care internal controls, process and privacy and technology matters. The publisher of the Solutions Law Press Health Care Update, and Solutions Law Press Health Care Privacy & Technology Update, Ms. Stamer also is a popular speaker and author of these and other health industry topics. She regularly publishes, speaks and conducts training for health industry and other organizations, the ABA, American Health Lawyers Association (AHLA), Health Care Compliance Association, Institute of Internal Auditors, various medical society and other professional organizations, the Medical Group Management Association, and many other organizations. Her many publications and programs include“Changing Regulations Will Ease Way for E-Prescribing, But Physicians Shouldn’t Jump the Gun,” “Telemedicine, E-Prescribing & Electronic Health Records: Opportunities & Exposures,” “Telemedicine & E-Prescribing: Evolving Ethical, Licensing & Reimbursement Rules & Realities,” the “Tort & Other Liability” Chapter of the ABA Health Law Section/BNA E-Health & Technology Treatise, “Protecting & Using Patient Data in Disease Management Opportunities, Liabilities and Prescriptions,” Chapter 1: Privacy.” The Quest for Interoperable Electronic Health Records: A Guide to Legal Issues in Establishing Health Information Networks (AHLA 2005) (Contributing Author), “Cybercrime and Identity Theft: Health Information Security beyond HIPAA,” “Privacy & Securities Standards-A Brief Nutshell” and numerous other programs and publications on telemedicine and e-prescribing, HIPAA and other privacy and data security, and other related internal controls and operational matters. Publishers of her many highly regarded writings on health industry and human resources matters include the Bureau of National Affairs, Aspen Publishers, ABA, AHLA, Spencer Publications, World At Work, SHRM, Business Insurance, James Publishing and many others. You can review other highlights of Ms. Stamer’s health care experience here, and employment experience here. Her insights on these and other matters appear in Managed Care Executive, Modern Health Care, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, MDNews, Kentucky Physician, and many other national and local publications.

Other Resources

If you found this information of interest, you also may be interested in reviewing other updates and publications by Ms. Stamer including:

For More Information

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

Leave a Comment » | Centers For Disease Control, Controlled Substances, Corporate Compliance, DEA, Doctor, E-Prescribing, Electronic Health Records, Electronic Medical Records, false claims act, FDA, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, Health IT, HIPAA, HITECH Act, Hospital, Licensing, Meaningful Use, Medicaid, Medical Licensure, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Pharmacy, Physician, Physician Licensing, Prescription Drugs, Privacy, Reimbursement, Telemedicine | Tagged: Controlled Substances, DEA, E-Prescribing, Health IT, Health Technology, HIPAA, HITECH Act, Meaningful Use, Telemedicine | Permalink
Posted by Cynthia Marcotte Stamer

Forms & Instructions To Provide HITECH Act-Required Notice To OCR Of Breach of Unsecured Protected Health Information Posted

October 15, 2009

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) recently posted online forms and instructions for submitting notice of breaches of unsecured protected health information to OCR required under new protected health information breach notification rules enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Under Section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act as implemented by the Interim Final Breach Notification Regulations published by OCR in August, health care providers, health plans, and health care clearinghouses (covered entities) and their business associates within the meaning of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must provide certain notifications within 60 days following discovery of a breach of unsecured protected health information to individuals whose protected health information was breached, OCR, and certain other parties. The new breach notification requirements apply to breaches occurring after September 23, 2009.

The required form to submit notice to and deadline for submitting notice to OCR depends on the number of affected individuals. For breaches affecting 500 or more individuals, notice of the breach must be submitted without unreasonable delay and no later than 60 days from the discovery of the breach. In other cases, notice to affected individuals still must be provided without unreasonable delay and within 60 days of discovery; but notification to CMS may be provided within 60 days of the end of the calendar year of discovery of the breach.

The author of this update, Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer has extensive experience advising covered entities, their business associates and others about HIPAA and other privacy and data security matters affecting covered entities and their business associates and has conducted training on the breach notification and other new HITECH Act rules and other HIPAA Privacy and Security matters. You can review her experience, learn how to access recordings of her presentations and other details here.

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Solution Law Press Health Care Updates available online by clicking on the article title below:

For More Information

We hope that this information is useful to you. If you need assistance with these or other health care public policy, regulatory, compliance, risk management, workforce and other staffing, transactional or operational concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270‑2402, cstamer@cttlegal.com, Ms. Stamer has extensive experience advising clients and writes and speaks extensively on these and other health industry and other reimbursement, operations, internal controls and risk management matters.

Ms. Stamer has extensive experience in these and other health industry related representation. You can review other recent health care and related resources and additional information about the health industry and other experience of Ms. Stamer here.

Leave a Comment » | ARRA, Electronic Health Records, Health Care, Health IT, Health Plan, Health Plans, Health Policy, HIPAA, HITECH Act | Tagged: Data Breach, Health Care, HIPAA, HITECH Act, Unsecured Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

North Texas Healthcare Compliance Professional Association To Meet At Texas Health Resources On October 13

September 29, 2009

NORTH TEXAS HEALTHCARE COMPLIANCE PROFESSIONAL ASSOCIATION

October 13, 2009 Meeting Reminder

2:00 – 4:00 p.m. at the Texas Health Resources Pavilion

North Texas Health Care Compliance Professional Association’s October 13, 2009 Meeting will feature a participatory Health Care Compliance Roundtable Discussion of Hot Topics moderated by the Erma E. Lee, JPS Health Network District Compliance Officer and NTPCA President on Tuesday, October 13, 2009 from 2:00 – 4:00 p.m at the Texas Health Resources Pavilion located at 612 E. Lamar Blvd., Arlington, TX. Topics to be discussed include:

HIPAA Data Breach, Red Flag & Other Evolving Privacy & Data Security Obligations & Risks
Office of Civil Rights Health Industry Disability & Other Civil Rights Enforcement
Tax-Exemption Issues Including Proposed Form 990 and Exemption Reforms In Health Care Reform
Health Care Fraud Enforcement
Other Hot Developments

Come catch up on these and other new developments and exchange thoughts and insights with other Health Care Compliance Professionals!

NTHCPA thanks Texas Health Resources for hosting this month’s meeting.

For additional information, please contact NTHCPA Vice-President Cynthia Marcotte Stamer at (214) 270-2402 or by e-mail at cstamer@solutionslawyer.net.

We look forward to seeing you there!

About the NTHCPA

NTHCPA exists to champion ethical practice and compliance standards and to provide the necessary resources for ethics and compliance Professionals and others in North Texas who share these principles.

The vision of NTHCPA is to be a pre-eminent compliance and ethics group promoting lasting success and integrity of organizations within North Texas.

To register or update your registration or to receive notice of future meetings, e-mail here .

This communication may be considered a marketing communication for certain purposes. If you wish to update your e-mail for purposes of or would prefer not to receive future e-mail concerning meetings or other activities of the North Texas Healthcare Compliance Professionals Association or other marketing and promotional mailings from it, please send an email with the word “unsubscribe” in its subject heading to here.

Leave a Comment » | Anti-KickBack, ARRA, Disability Discrimination, Discrimination, Doctor, Electronic Health Records, Electronic Medical Records, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health IT, Health Policy, HIPAA, HITECH Act, Medicaid, Medicare, OCR, OIG, Physician, Privacy, Reimbursement, Tax, Tax-Exemption, Technology | Tagged: Data Security, Doctor, Events, false claims act, Form 990, Health Care, Health Care Compliance, Health Care Discrimination, Health Care Fraud, Health Care Policy, Health Care Reform, Health Care Reimbursement, Health Policy, HIPAA, HITECH Act, Hospital, North Texas Health Care Compliance Professionals Association, Physician, Red Flag Rules, Reimbursement, Tax-Exemption | Permalink
Posted by Cynthia Marcotte Stamer

Banner Health Pays $1.25 Million To Settle Cybersecurity Breach Impacting Nearly 3 Million Individuals

Banner Health Settlement

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

OCR Dental Practices Settlements Warn Providers To Honor HIPAA Access Rights

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Medical Clinic HIPAA Resolution Agreement Shows Need For Current Business Associate Agreements

McGraw Appointed New OCR Deputy Director

Director of Texas Office of e-Health Coodination To Discuss Texas HIE Strategy in 3/14 HHS Sponsored Teleconference

$1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report

ONC Releases Proposed Rules For Meaningful Use Stage 2

ONC Touts Research On Health IT Benefits In Health Affairs Article

HHS to Host Regional 11/18 Meeting in LA as Part of HITECH Act Psychotherapy Notes &Testing Data Study

CMS & ONC To Co-Host 7/22 ONC Certification & Medicare/Medicaid EHR Incentive Program Audio Training

DEA/DOJ Release Interim Final E-Prescribing Rules

Forms & Instructions To Provide HITECH Act-Required Notice To OCR Of Breach of Unsecured Protected Health Information Posted

North Texas Healthcare Compliance Professional Association To Meet At Texas Health Resources On October 13

Recent Posts

Archives

About Cynthia Marcotte Stamer

Share this blog

Archives

Solutions Law Press Health Care Update

Banner Health Settlement

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Recent Posts

Archives

About Cynthia Marcotte Stamer

Share this blog

Archives

Solutions Law Press Health Care Update