Physician |

SCRA License Portability Rules Ease Employability Of Relocating Service Members & Their Spouses

December 27, 2025

Healthcare and other organizations should review new Department of Justice guidance about recent updates to the Servicemembers Civil Relief Act (SCRA) that make it easier for service members and spouses to meet state licensing requirements when relocated due to military orders. The rules make it easier for health care and other organizations to hire relocating service members and their spouses to fill positions nurses, doctors, pharmacists and other positions requiring licensure or certification under state law.

The Justice Department recently sent States a letter reminding them to evaluate their licensing practices for compliance with the December 23, 2024, SCRA amendments.

The amended SCRA rules now require all states to recognize as valid a medical or other professional license or certification of a service member or spouse of a service member when the servicemember or service member’s spouse:

Has a covered license;
Moves to another State due to military orders; and
Submits an application to the licensing authority of the new State.

The term ‘covered license’ means a professional license that, with respect to a scope of practice:

Is in good standing with the licensing authority that issued such license;
Has not been revoked or had discipline imposed by any State;
Does not have an investigation relating to unprofessional conduct pending in any State relating to it; and
Has not been voluntarily surrendered while under investigation for unprofessional conduct in any State.”

The application requirement is met by a submission by a servicemember or spouse to the new licensing authority that includes the following:

Proof of military orders;
If the applicant is the spouse of a servicemember, a copy of the marriage certificate;
A notarized affidavit affirming, under the penalty of law, that (A) the applicant is the person described and identified in the application; (B) all statements made in the application are true and correct and complete; (C) the applicant has read and understands the requirements to receive a license, and the scope of practice, of the State of the licensing authority; (D) the applicant certifies that the applicant meets and shall comply with requirements described in subparagraph (C); and (E) the applicant is in good standing in all States in which the applicant holds or has helda license.”

Under the updated law, a letter or any written communication from the servicemember’s commanding officer indicating a change in the servicemember’s duty status satisfies the requirement for proof of military orders (including orders for separation or retirement).

The new portability rules expedite the ability of health care and other organizations wishing to hire relocating service members or their spouses to clear health care or other licensing requirements.

If you have questions about this or other health care concerns, contact the author.

More Information

We hope this update is helpful. For more information about the or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Peer recognized as “Top Rated Lawyer” and “LEGAL LEADER™ “Top Rated Lawyer” and “Best Lawyer” for her work in Health Care Law, Labor and Employment Law; ERISA & Employee Benefits,” and “Business and Commercial Law,” Cynthia Marcotte Stamer is an A Martindale-Hubble “AV-Preeminent” (Top 1%) attorneys board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation.

Author of numerous highly regarded works on Section 504 and other health care, health insurance, health information technology, employment, education plan contracting and other compliance, enforcement, policy and other concerns she is Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group.

Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

She also has extensive experience helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

If you have questions about this or other health care concerns, contact the author.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Health Care, Licensing, Military, SCRA, TRICARE, Veterans Health Administration | Tagged: Health Care, Health Care Compliance, Health Care Policy, Health Care Provider, Hospital, licensure, Medical Board, Medicare, Military, pharmacist, Physician, Physicians | Permalink
Posted by Cynthia Marcotte Stamer

HHS Extends Fall Cures Act Attestations Condition and Maintenance of Certification Deadline

December 3, 2025

Health IT developers now have until January 1, 2026 to file the attestation of compliance with the Conditions and Maintenance of Certification requirements of 45 CFR part 170, subpart D implemented by the Department of Health and Human Services (“HHS”) under the ONC Cures Act Final Rule.

The ONC Cures Act Final Rule “Attestations” Condition and Maintenance of Certification requirements require a health IT developer, or its authorized representative that is capable of binding the health IT developer, to provide an attestation of compliance with the following Conditions and Maintenance of Certification requirements in 45 CFR part 170, subpart D to the HHS Secretary semiannually for any Health IT Modules that have or have had an active certification at any time under the ONC Health IT Certification Program (Certification Program) during the prior six months:

Information blocking (§ 170.401);
Assurances (§ 170.402), subject to more limited requirements if the health IT developer certified a Health IT Module(s) that is part of a health IT product which can store electronic health information;
Communications (§170.403);
Application programming interfaces (APIs) (§ 170.404), if the health IT developer has a Health IT Module(s) certified to certain certification criteria; and such health IT developer must also ensure that health IT allows for health information to be exchanged, accessed, and used, in the manner described in § 170.404; and
Real world testing (§ 170.405), if the health IT developer has a Health IT Module(s) certified to certain certification criteria.

Per Certification Program guidance, a health IT developer is required to submit its attestation to an ONC-Authorized Certification Body (ACB) within a designated 30-day window twice a year (every six months) during the months of April and October. April attestations cover the months of October–March, while October attestations cover April–September.[1]

From October 1, 2025, through November 12, 2025, the Assistant Secretary for Technology Policy (ASTP) and the Office of the National Coordinator for Health Information Technology (ONC) (collectively, “ASTP/ONC”) shut down due to a lapse in appropriations.

Shilehealth IT developers’ attestations were due by October 31, 2025, the government shutdown that resulted from the appropriations lapse made the ASTP/ONC website for attestation submissions and related compliance resources unavailable. ASTP/ONC staff also were unavailable to provide operational or program support for ONC-ACBs or health IT developers and their authorized representatives.

Due to these disruptions, ASTP/ONC has announced the following enforcement discretion:

ASTP/ONC will not exercise its direct review authority under 45 CFR 170.580 for any non-conformity, potential or actual, that arises solely from a health IT developer not complying with 45 CFR 170.406 until January 1, 2026. Specifically, ASTP/ONC will not exercise its direct review authority over a health IT developer’s obligation to submit their semiannual attestation that would have been due by October 31, 2025, until January 1, 2026, for such attestation.
ASTP/ONC will not conclude that an ONC-ACB has failed to review and submit health IT developer attestations to ASTP/ONC as required by 45 CFR 170.523(q), failed to ensure that health IT developers meet their attestation responsibilities as required by 45 CFR 170.550(l), or violated the good standing provisions of 45 CFR 170.560(a); or take any enforcement action under 45 CFR 170.565 against an ONC-ACB if an ONC-ACB does not review and submit health IT developers’ attestations originally due to ASTP/ONC by October 31, 2025, until January 1, 2026.

This enforcement discretion will apply until January 1, 2026 to give health IT developers and ONC-ACBs through December 31, 2025, to ensure submission of attestations for the period covering April 2025 through September 2025. The deadline for the April 2026 attestation submission, covering the period from October 2025 through March 2026 remains April 30, 2026.

For additional information on the attestation requirements, please see the Certification Companion Guide for Attestations and the Attestations Resource Guide.

For More Information Or Help

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, insurance, or health care legal developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney nationally celebrated as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on health and other employee benefits, insurance, healthcare, workforce, HIPAA and other data and technology and other compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, insurance, healthcare , data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on health care, leadership, governance, human resources, employee benefits, data security and privacy, insurance, and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources including the following recent publications about related emerging developments:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©️2025 Cynthia Marcotte Stamer. Reprinted by permission pursuant to non-exclusive license to Solutions Law Press.

[1] https://www.healthit.gov/condition-ccg/attestations

Leave a Comment » | Health Care | Tagged: Cares Act, Corporate Compliance, Health Care, Health Care Compliance, Health Care Provider, Health IT, healthcare, HHS, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Prepare For Coverage Declines From Marketplace Rule Changes

June 26, 2025

Health care providers treating patients covered by the Heathcare Marketplace insurance plans created under the Patient Protection and (“ACA”) should prepare for fallout from a new Department of Health and Human Services (“HHS”) Final Rule that tightens subsidy and other eligibility and makes other reforms. Providers should anticipate and begin planning for fallout upon their organizations from the effect of these enrollment and coverage changes impacting their patients.

The 2025 Marketplace Integrity and Affordability Final Rule (“Rule”) reverses Biden Administration rules that loweredrequirements for individuals to receive subsidies to pay costs for purchasing health coverage and eased other requirements for Exchange coverage.

According to the now Trump Administration-led Centers for Medicare & Medicaid Services (“CMS”), improper ACA enrollments enabled by weakened verification processes and expanded premium subsidies triggered widespread fraud. Research shows that in 2024, an estimated 5 million people may have been improperly enrolled, costing taxpayers as much as $20 billion^[1].

To address these concerns, the new Rule:

Repealing the monthly special enrollment period (SEP) for individuals with projected household incomes at or below 150% of the federal poverty level, a policy used by some agents and brokers to improperly enroll ineligible consumers and perform unauthorized plan switching to gain commissions;
Requiring income verifications to ensure people qualify for the premium subsidies they receive;
Conducting eligibility verifications for the majority of enrollments through SEPs, closing loopholes that allowed people to wait to enroll until they needed care and improving the risk pool, which can lower premiums for middle-class families not receiving subsidies;
Reducing advanced payments of the premium tax credit (APTC) by $5 a month for individuals who are auto re-enrolled in fully-subsidized plans without eligibility verification, ensuring consumers are aware of and engaged in their health coverage; and
Standardizing the Annual Open Enrollment Period starting with the 2027 plan year so that it ends by December 31 for all health insurance exchanges, encouraging people to maintain year-round health coverage rather than waiting until they get sick to enroll, which helps keep insurance affordable for everyone.

CMS says many changes are “temporary” measures set to sunset at the end in 2026 to immediately tamp down on the outflow of funds to ensure that eligibility verification processes work efficiently and allow qualified enrollees to access ACA Exchange coverage without fear of coverage gaps or surprise tax liabilities resulting from the improper actions of third parties.

To ensure federal subsidies for coverage through ACA Exchanges only support the statutory requirements and goals of the ACA, CMS also is:

Prohibiting federal subsidies from being used to help cover the cost of specified sex-trait modification procedures to align an individual’s physical appearance or body with an asserted identity that differs from the individual’s sex; and
Reinstating HHS’ longstanding 2012 interpretation of “lawfully present” to exclude Deferred Action for Childhood Arrivals (DACA) recipients from eligibility and enrollment in ACA Exchange coverage and Basic Health Program (BHP) coverage in States that elect to operate a BHP, including APTC, premium tax credits, and cost-sharing reductions.

CMS says these reforms address “improper enrollments and the improper flow of federal funds implemented during the Biden Administration.

Regardless of the reason and duration of these changes, the Rule will trigger loss or other changes in enrollment or coverage for many patients reliant on the Marketplace for coverage. Health care practices should anticipate and prepare to deal the probable effects of these changes on their practices. While effects may vary, consequences foreseeable from these changes might include

More uninsured or underinsured patients;
Care adjustment and transitions by patients experiencing losses or reductions in coverage ;
Increased demand for cash pay, financing and other special arrangements;
Declines or delays in patient medication or other care compliance;
Enhanced accounts receivables and collections issues;
Lost revenue; and
More.

Anticipating and planning for the effects of the changes can help health care providers mitigate disruptions from the impending changes.

For More Information Or Help

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

About Solutions Law Press, Inc.™

©️2025 Cynthia Marcotte Stamer. Reprinted by permission pursuant to non-exclusive license to Solutions Law Press.

Leave a Comment » | Health Care | Tagged: ACA, Affordable Care Act, Health Care, Health Care Provider, Health Care Reimbursement, Health Insurance, Health Plan, Health Plans, healthcare, Hospital, pharmacist, Physician, Physicians, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

Health Care Organizations Urged To Strengthen Right Of Conscience Defenses As HHS Opens 2 Right Of Conscience Investigations Within 1 Month Of Opening New Child Chemical Or Surgical Mutilation Whistleblower Portal

May 12, 2025

Health care organizations should move quickly to verify the defensibility of their current and past practices and actions for offering and providing religious accommodation and avoiding religious discrimination in light of the announcements by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) of the opening of two new Church Amendment right of conscience investigations less than a month after of OCR published a new right of conscience guidance and launched a new online portal for whistleblowers to use to submit tips or complaints regarding the chemical and surgical mutilation of children. These developments are particularly concerning in light of the sharp reversal of the policies of the prior administration and the apparent current readiness of the agencies to treat actions taken under the previous administration’s policies as grounds for investigation or enforcement.

Federal Statutes Protect “Right of Conscience” In Health Care

While Federal protections against religious discrimination and infringement on rights of conscience and longstanding and well-established through the religious freedom and discrimination provisions of the First Amendment to the United States Constitution and the Civil Rights Act of 1964 (the “CRA”), and health care specific laws such as the Church Amendment, Section 1557 of the Patient Protection and Affordable Care Act (“Section 1557”) and other federal laws, President Trump’s policy directions on right of conscience and other religious freedom and discrimination are fueling new requirements and risks for health care organizations and other businesses and government organizations.

HHS interpretation and enforcement of the prohibitions against religious or other discrimination under Sectio 1557 and other federal rules protecting Rights of Conscience in health care is now rapidly evolving in response to recent Executive Orders of President Trump. Its announcement of two right of conscience investigations against health care organizations in less than a month illustrate the exploding risks that health care providers and other organizations receiving HHS funding face for excluding or discriminating against health care providers, patients, and certain other federal program participants who refuse on religious or moral grounds to participate in certain health care services under these federal health care right of conscience rules including the following:

Church Amendment

Enacted in the 1970s to protect the rights of individuals and entities to object to performing or assisting in the performance of certain procedures because of their religious beliefs or moral convictions, the Church Amendment:

Prohibits public officials and authorities from requiring recipients of certain federal financial assistance to provide or make their facilities available for abortion or sterilization when the recipient has a religious or moral objection to sterilization or abortion.
Prohibits entities that receive certain federal financial assistance from discriminating against physicians and health care personnel:
- because they performed a lawful sterilization, abortion, or other lawful health service or research activity,
- because they refused to perform a lawful sterilization, abortion, or other lawful health service or research activity, or
- because of their religious beliefs or moral convictions about sterilization, abortion, or any other lawful health services or research activities.
Protects individuals who object because of their religious or moral beliefs to performing or assisting in the performance of any part of a federally funded health service program or research activity.
Prohibits entities that receive certain federal financial assistance from discriminating against applicants for training or study because the applicant is reluctant or willing to participate in abortions or sterilizations due to their religious or moral beliefs.

Coats-Snow Amendment

The Coats-Snowe Amendment codified as Section 245 of the Public Health Service Act, prohibits the federal government and any state or local government receiving federal financial assistance from discriminating against any health care entity on the basis that the entity:

Refuses to undergo training in the performance of abortions;
Refuses to require or provide abortion training;
Refuses to perform abortions, or to provide referrals for abortion training or for abortions;
Refuses to make arrangements for any of the above activities related to abortion; or
Attends (or attended) a post-graduate physician training program, or any other program of training in the health professions, that does not (or did not) perform induced abortions or require, provide, or refer for training in the performance of induced abortions, or make arrangements for the provision of such training.

Weldon Amendment.

The Weldon Amendment provides that none of the funds made available in those HHS appropriations acts may be made available to a Federal agency or program, or to a state or local government, if the agency, program, or government discriminates against any institutional or individual health care entity on the basis that the health care entity does not provide, pay for, provide coverage of, or refer for abortions. It defines “health care entity” to include “an individual physician or other health care professional, a hospital, a provider-sponsored organization, a health maintenance organization, a health insurance plan, or any other kind of health care facility, organization, or plan.”

Trump Policy Directives Drive New Risks By Changing Prior Religion & Other Discrimination Interpretations & Prioritizing New Rule Enforcement For Past, Current & Future Actions

Although U.S. law long has protected religious freedom through the protections of the First Amendment to the United States Constitution, the Civil Rights Act of 1964 (the “CRA”), Section 1557 of the Patient Protection and Affordable Care Act (“Section 1557”) and other federal laws, President Trump’s policy directions on right of conscience and other religous freedom and discrimination, HHS interpretation and enforcement of these Rights of Conscience now are rapidly evolving in response to recent Executive Orders of President Trump.

Most directly, HHS’ new emphasis on investigation and enforcement of Rights of Conscience directly responds to Executive Orders of President Trump on religious freedom. On his Executive Order 14188 – Additional Measures To Combat Anti-Semitism (January 29, 2025), for instance, President Trump in declaring his administration’s commitment to combating the rise of anti-Semitism and anti-Semitic incidents in the United States and around the world and directing the Justice Department and other agencies to vigorously enforce Civil Rights Act Title VI, specifically noted the current prohibitions against anti-Semitism embedded in U.S. religious freedom laws, stating:

Title VI of the Civil Rights Act of 1964 (Title VI) prohibits discrimination on the basis of race, color, and national origin in programs and activities receiving Federal financial assistance. While Title VI does not cover discrimination based on religion, individuals who face discrimination on the basis of race, color, or national origin do not lose protection under Title VI for also being a member of a group that shares common religious practices. Discrimination against Jews may give rise to a Title VI violation when the discrimination is based on an individual’s race, color, or national origin.

In Executive Order 14202, Eradicating Anti-Christian Bias (February 6, 2025), President Trump ordered HHS and other agencies to review and recommend policy changes and other remedial actions to correct any unlawful anti-Christian policies, practices of the Biden Administration and develop other strategies to protect the religious liberties of Americans.

Subsequently, in his May 11, 2025, Executive Order 14291, Establishment of the Religious Liberty Commission, President Trump took aim at threats to religious freedom from efforts of certain Federal, state and local policies that President Trump views as infringing longstanding conscience protections, preventing parents from sending their children to religious schools, threatening loss of funding or denial of non-profit tax status for faith-based entities, and singling out religious groups and institutions for exclusion from governmental programs. To redress these threats, President Trump announced it is “the policy of the executive branch to vigorously enforce the historic and robust protections for religious liberty enshrined in Federal law” and to “promote citizens’ pride in our foundational history, identify emerging threats to religious liberty, uphold Federal laws that protect all citizens’ full participation in a pluralistic democracy, and protect the free exercise of religion.”

To implement this policy, President Trump established a “Religious Liberty Commission” to prepare a comprehensive report on the foundations of religious liberty in America, the impact of religious liberty on American society, current threats to domestic religious liberty, strategies to preserve and enhance religious liberty protections for future generations, and programs to increase awareness of and celebrate America’s peaceful religious pluralism. In defining the directives of the Commission, President Trump expressly included among the topics for consideration by the Commission “[c]onscience protections in the health care field and concerning vaccine mandates” and the Permitting time for voluntary prayer and rright of all Americans to freely exercise their faith without fear or Government censorship or retaliation. See Executive Order 14291, Establishment of the Religious Liberty Commission (May 1, 2025).

The Trump Administration’s emphasis on protecting federal right of conscience and other religious freedom protections is made more perilous by his sharp disagreement, revocation, and characterization as patently illegal various key aspects of the interpretation and enforcement policies of the Biden, Obama and other previous administration regarding federal right of conscience and other religious freedom, sexual orientation, reproductive rights and other civil rights policies and protections. See e.g., Executive Order 14281 -Restoring Equality of Opportunity and Meritocracy (April 23, 2025);

Beyond these religious freedom directives, President Trump also has issued other Executive Orders reversing key Biden Administration policies on politically sensitive policies often overlapping with issues of religious conscience. For instance, in one of his earliest actions upon commencing his second Presidency, President Trump overruled previous administrations’ policies that promoted and protected the right of individuals to self-define their own sex regardless of biological sex at birth and associated safeguards and protection by directing[1] that U.S. law recognize only two genders, male and female, the assignment of which is determined by the gender of an individual at birth.

Subsequently, in Executive Order 14187, Protecting Children From Chemical and Surgical Mutilation (January 28, 2025) overruled Biden Administration policies protective of gender transition and other treatments for gender dysphoria by ordering HHS to end take action to terminate all regulations and other policies and practices that allow or support chemical and surgical mutilation of children as a treatment of gender dysphoria.

Meanwhile, in his Executive Order 14182-Enforcing the Hyde Amendment (January 24, 2025), President Trump reversed key policies undertaken by the Biden Administration to mitigate the effects of the Supreme Court’s landmark Dobbs vs. Jackson Women’s Health Organization decision that overturned Roe vs. Wade by declaring the U.S. Constitution does not protect a woman’s right to an abortion.

In response to these and other Trump Executive Orders, HHS on April 14, 2025, published its new Guidance for Whistleblowers on the Chemical and Surgical Mutilation of Children (the “Whistleblower Guidance”). The Whistleblower Guidance explains the conditions under which the Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) allows health care providers, health plans, health care clearinghouses or their business associates (“HIPAA Entities”) to disclose information about chemical or surgical mutilation of children in violation of Executive Order and key federal anti-retaliation protections for whistleblowers making these disclosures or engaging in other exercises of their Rights of Conscience under the Church Act.

New HIPAA Whistleblower Guidance

The HIPAA Privacy Rule generally prohibits use, disclosure, and protection of protected health information (“PHI) by HIPAA Entities. The Whistleblower Guidance notes that since its inception, the Privacy Rule has provided various pathways for HIPAA Entities to use and disclose PHI in connection with whistleblowing actions of their workforce members or business associates.

Along with the option to use de-identified information in whistleblower disclosures, the Whistleblower Guidance also notes that the whistleblower provision of the Privacy Rule provides that a HIPAA Entity is not considered to violate the Privacy Rule when a workforce member or business associate discloses PHI in the following circumstances:

The workforce member or business associate has a good faith belief that the conduct being reported is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public[2], and
The workforce member or business associate of the covered entity discloses PHI to any of the following:

A health oversight agency[3] or public health authority[4] authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity.
An appropriate health care accreditation organization[5], such as a state medical board, for the purpose of reporting the allegation of failure to meet professional standards[6] or misconduct by the covered entity.
An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining his or her legal options with respect to whistleblowing.

Thus, the Whistleblower Guidance states the Privacy Rule protects a HIPAA Entity from liability for the good-faith whistleblower action of a member of its workforce or a business associate in these situations, but does not protect the HIPAA Entity where, for example, a member of its workforce or its business associate discloses PHI to a member of the media or in some other manner not in accordance with an allowable exception to the Privacy Rule.

Since the HIPAA Entities bear responsibility for inappropriate disclosures of PHI by whistleblowers from their workforce, the Whistleblower Guidance sends a strong message to HIPAA Entities to properly document and train workforce members about when and how HIPAA allows or prohibits the use of PHI when reporting known or suspected violations of the law.

Along with discussing when HIPAA allows whistleblowers to uses or disclose PHI to report illegal behavior, the Whistleblower Guidance also highlights the following as among the federal laws most likely pertinent for “protecting whistleblowers who take action related to ensuring compliance with” the Executive Order. EO 14187:

The National Defense Authorization Act of 2013 (“NDAA”) contains a broad whistleblower protection for employees of federal contractors and grantees by providing that “[a]n employee of a contractor, subcontractor, grantee, subgrantee, or personal services contractor may not be discharged, demoted, or otherwise discriminated against as a reprisal for disclosing to” certain statutorily defined officials and entities “information that the employee reasonably believes is evidence of gross mismanagement of a Federal contract or grant, a gross waste of Federal funds, an abuse of authority relating to a Federal contract or grant, a substantial and specific danger to public health or safety, or a violation of law, rule, or regulation related to a Federal contract (including the competition for or negotiation of a contract) or grant.”
The False Claims Act (“FCA”) anti-retaliation provisions protect “employee[s], contractor[s], [and] agent[s]” from discharge, demotion, suspension, or any other manner of discrimination “in the terms and conditions of employment” because of lawful acts taken by the individual in furtherance of a claim under the FCA or “other efforts to stop one or more violations of [the FCA]” where an individual must generally show that: (1) he or she is a covered “employee, contractor, or agent”; (2) he or she was engaged in activity protected by the statute; (3) he or she was retaliated against; and (4) the retaliation was “because of” protected activity.
The Church Amendments prohibits entities that receive certain federal financial assistance from discriminating “in the employment, promotion, or termination of employment of any physician or other health care personnel” or discriminating “in the extension of staff or other privileges to any physician or other health care personnel” because that individual “refused to perform or assist in the performance” of a “lawful sterilization procedure” “on the grounds that his performance or assistance in the performance of the procedure . . . would be contrary to his religious beliefs or moral convictions,” or “because of his religious beliefs or moral convictions respecting sterilization procedures[.]” In addition, 42 U.S.C. § 300a-7(d) provides: “No individual shall be required to perform or assist in the performance of any part of a health service program or research activity funded in whole or in part under a program administered by the Secretary of Health and Human Services if his performance or assistance in the performance of such part of such program or activity would be contrary to his religious beliefs or moral convictions.”
The HIPAA Privacy Rule generally requires HIPAA Entities to have and apply appropriate sanctions against members of its workforce who failed to comply with their privacy policies or procedures or with the requirements of the rule. However, Privacy Rule § 164.530€(1) explicitly excludes the application of sanctions to a member of the HIPAA Entity’s workforce for whistleblowing activity.

2 New Right Of Conscience Investigations Signal Growing Enforcement Risks

OCR’s announcement of its opening of two Right of Conscience investigations sends a clear warning to health care providers and other HHS-funded entities to ensure the defensibility of their own practices and policies for honoring the rights of conscience of their workforce and others they do business with in the course of their operations.

1st Right Of Conscience Investigation Announcement On April 14

On April 14, 2025, OCR announced its initiation of its first investigation of a major pediatric teaching hospital for allegedly terminating the employment of a whistleblower nurse for exercising her federally protected rights of conscience. According to the OCR announcement, the pediatric teaching hospital allegedly terminated the employment of a whistleblower nurse for exercising her federally protected rights of conscience. The OCR announcement states that the investigation will examine whether the pediatric hospital violated the Church Amendments by firing a whistleblower nurse after she requested a religious accommodation to avoid administering puberty blockers and cross-sex hormones to children, which she opposed due to religious beliefs about the sterilization effects of these interventions. The announcement also quotes Acting HHS OCR Director Anthony Archeval as stating, “The Department will robustly enforce Federal laws protecting these courageous whistleblowers, including laws that protect health care professionals from being forced to violate their religious beliefs or moral convictions.”

2^nd Right of Conscience Investigation Announcement On May 12

Less than one month after announcing its first investigation, OCR on May 12, 2025, announced its second right of conscience investigation against a hospital which is part of a larger health care system. According to the announcement, the investigation will focus on how the hospital accommodates its health care personnel who decline to perform or assist in the performance of abortion procedures contrary to their religious beliefs or moral convictions.

The second announcement notes that the investigations are “part of a larger effort to strengthen enforcement of laws protecting conscience and religious exercise.” It also quotes Acting OCR Director Archeval as stating, “The Department is committed to enforcement of our nation’s laws that safeguard the fundamental rights of conscience and religious exercise,” … “Health care professionals should not be coerced into, fired for, or driven out of the profession for declining to perform procedures that Federal law says they do not have to perform based on their religious beliefs or moral convictions.”

The new emphasis of HHS and other agencies on investigation and enforcement of federal protections for rights of conscience and other religious freedoms and other civil rights laws alone should prompt all health care and other HHS-regulated authorities prospectively to reevaluate and update their own practices to strengthen their defensibility under new standards. When assessing the adequacy of their existing policies and practices, health care and other covered organizations also should anticipate the likely need to defend past actions taking into account the Trump Administration’s sharp redirection of interpretations and enforcement away from the policies of the Biden Administration. Since the investigation and enforcement actions announced by HHS and other agencies so far retroactively apply the newly announced Trump-era interpretations and standards to investigations of events and actions that occurred during the Biden Administration, prospective changes to enhance the defensibility of current and future actions alone may not be enough. Rather, health care and other organizations need to prepare for the possibility that HHS or other agencies may require their organization to defend Biden-era events under the new Trump Administration interpretations of the Church Amendments, the CRA, Section 1557, and other federal rules on religious or other Civil Rights law discrimination. In the face of these developments, all health care organizations receiving funding from HHS should review their current and past policies and actions implicating potential exercises of rights of conscience regarding to the treatment of children for gender dysphoria, abortion and other reproductive rights and other areas likely to implicate the Church Amendments or other federally protected religious rights to assess their potential past exposures and mitigate future risks.

The author of this update, Cynthia Marcotte Stamer has decades of experience advising, representing, and defending health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, public and private employers, government contractors and grant recipients, educational organizations, child care facilities, employers, technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about Civil Rights Laws and other religious, civil rights and other discrimination, HIPAA and other privacy and data security, False Claims Act and other billing and reimbursement, quality, technology, licensing and accreditation, whistleblower and other workforce, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.

Author of many highly regarded compliance, training and other resources on cybercrime and other data privacy and security, health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy in these matters.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

[1] See e.g., Executive Order 14168, Defending Women From Gender Ideology Extremism and Restoring Biological Truth to the Federal Government (January 20, 2025).

[2] 45 CFR 164.502(j)(1)(i).

[3] 45 CFR 164.501.

[4] 45 CFR 164.501.

[5] 65 Fed. Reg. at 82492.

[6] See 65 Fed. Reg. at 82727

Leave a Comment » | Civil Rights, Conditions of Participation, dei, Discrimination, Employment, Health Care, Health Care, Health Care Finance, home health, Hospital, Medicaid, Medicaid Advantage, Medical Licensure, Medicare, Medicare Advantage, OCR, Physician, Reimbursement, Section 1557 | Tagged: Church Amendments, Health, Health Care, Health Care Fraud, HIPAA, Hospital, Medicare, Physician, politics, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

HHS Harvard University Action & Dear Colleague Letter Clarify Civil Rights Merit-Based Action & DEI Ban

May 6, 2025

The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) on May 7, 2025, clarified in a “Dear Colleague” letter its interpretation of what constitutes race-based discrimination under Title VI of the Civil Rights Act of 1964 (“Title VI”), Section 1557 of the Affordable Care Act (“Section 1557”), and the Equal Protection Clause of the 14th Amendment of the United States Constitution as applied to institutions of higher education, such as medical schools, and other entities that receive HHS funding in light of President Trump’s directives in Executive Order 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity.

Evolving Application of Civil Rights Laws To DEI, Affirmative Action & Other Preferences

In Students for Fair Admissions v. Harvard, 600 U.S. 181 (2023), the Supreme Court ruled the DEI admissions policies applied by Harvard University and the University of North Carolina violated the Equal Protection Clause of the 14th Amendment. applies the case’s holding to Title VI and Section 1557. The Court ruled the requirement of equal treatment prohibits discrimination absent proof of a compelling government interest under a strict scrutiny standard. The Court ruled the universities failed to demonstrate the necessary compelling interest. Accordingly, the Court found their application of rave or other preferences violated the 14th Amendment.

Under Executive Order 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity, President Trump directed federal agencies to enforce long-standing civil rights laws and “to combat illegal private sector diversity, equity and inclusion (“DEI”) preferences, mandates, policies, programs, and activities.”

HHS & ED Merit-Based Decisions Policy Investigations & Enforcement

During the second term of the Trump Administration, OCR has initiated seven investigations under federal civil rights law to promote merit-based opportunity.

The April 28, 2025 announcements of openings of discrimination investigations of Harvard by both HHS and ED of race discrimination investigation of both reports of race-based discrimination permeating the operations under Civil Rights Act is illustrative.

Opened in response to information HHS and ED received about policies and practices for journal membership and article selection, HHS’ and ED’s OCR investigations respond to reports of potential application of preferences in violation of EO 14173.

The Harvard Law Review’s editor reportedly wrote that it was “concerning” that “[f]our of the five people” who wanted to reply to an article about police reform “are white men.” Another HLR editor suggested “that a piece should be subject to expedited review because the author was a minority.”

Based on these reports, HHS and ED suspect Harvard Law Review’s article selection process ‘picks winners and losers on the basis of race, employing a spoils system in which the race of the legal scholar is as, if not more, important than the merit of the submission.

According to HHS and ED, these types of considerations based solely on race are illegal and unacceptable for recipients of federal funding.

“Law journal membership and publication are crucial achievements that build momentum for law students’ careers and shape legal scholarship,” said Anthony Archeval, Acting Director of HHS Office for Civil Rights. “This investigation reflects the Administration’s common-sense understanding that these opportunities should be earned through merit-based standards and not race.”

Acting Director Archeval warned, “Title VI’s demands are clear: recipients of federal financial assistance may not discriminate on the basis of race, color, or national origin. No institution—no matter its pedigree, prestige, or wealth—is above the law. The Trump Administration will not allow Harvard, or any other recipients of federal funds, to trample on anyone’s civil rights.”

The apparent triggering of the investigations based on “reports” of statements suggesting race bias of a nature often expressed within certain segments of many organizations highlights the challenges covered organizations are likely to experience in negotiating civil rights compliance. Health care, academic medicine and other organizations continue should ensure their merit based criteria and their underlying business justifications are clearly defined and defensible intheir form, design and administration.

Harvard stands to lose big if the investigations are not resolved in its favor. HHS and ED are threatening to terminate Carbert’s eligibility for federal funds from their agencies. Alongside the HHS and ED investigations, the Trump administration also has asked the internal Revenue Service to investigate whether Harvard’s policy of applying racial preferences, disqualifies it for continuing tax exemption under the Internal Revenue Code.

These high profile investigations are designed to send a strong signal to organizations to bring an end to DEI practices or face similar harsh consequences.

New Dear Colleague Letter Policy Clarification

This week , OCR followed up by sending out the Dear Colleague letter to reinforce and clarify its current policy on race preferences. Although the letter technically addresses, academic institutions, HHS says its principles apply to all programs funded and activities regulated by HHS.

The Dear Colleague letter reiterates that relying on race-based criteria, racial stereotypes, and facially neutral criteria that operates as a pretext for race are all prohibited under Title VI and Section 1557, including when diversity and racial-balancing are the aims.

In implementing President Trump’s “merit-based’ Civil Rights Laws interpretation, OCR’ Dear Colleague letter states OCR will prioritize investigations of institutions that:

Use race as part of their application or employment processes;
Require diversity, equity, and inclusion statements in connection with hiring or promotion; or
Lack clear policies demonstrating compliance with Students for Fair Admissions v. Harvard.

In light of OCR’s commitment to enforce this merit-based decision making requirement, the Dear Colleague letter advises medical schools and other entities receiving federal funding to ensure health care providers, and those in the health professions pipeline, are selected based on merit and clinical skills, not race,” said the Office for Civil Rights Acting Director, Anthony Archeval. HHS and ED also recommend academic healthcare and other HHS or ED funded organizations:

Ensure their policies and procedures comply with existing federal civil rights laws;
Discontinue criteria, tools, or processes that serve as substitutes for race or are intended to advance race-based decision-making; and
End reliance on third-party contractors, clearinghouses, or data aggregators that engage in prohibited uses of race.

The author of this update, Cynthia Marcotte Stamer has decades of experience advising academic medicine and other education, health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, government contractors and grant recipients, and their child care facilities, employers, technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about Civil Rights Laws and other discrimination, quality, technology, reimbursement, licensing and accreditation, compliance, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Health Care | Tagged: academic medicine, Civil Rights, dei, Health Care, Health Care Compliance, Health Insurance, Health Plans, Hospital, pharmacy, Physician, Physicians | Permalink
Posted by Cynthia Marcotte Stamer

Risk Analysis Critical For Health Care Providers & Other HIPAA-Covered Entities To Manage OCR & Other Data Breach Exposures

April 22, 2025

With the financial impact to businesses suffering data breaches in 2024 now averaging nearly $5 million and the announcement by the Department of Health and Human Services Office of Civil Rights (“OCR”) two additional Health Insurance Portability & Accountability Act (“HIPAA”) “Risk Analysis Initiative” settlements in seven days, health care providers, health plans, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) face a growing imperative to act now to promote the defensibility of their practices under the Risk Analysis and other HIPAA Privacy, Security, and Breach Notification Rule requirements. Coupled with OCR’s steady announcement of enforcement actions like those announced this month against NERAD and others under its Risk Analysis Initiative, OCR clearly is warning health care providers and other Regulated Entities to clean up and strengthen their Risk Analysis and other HIPAA Security Rule compliance.

HIPAA Risk Analysis Requirement & OCR Risk Analysis Initiative

The need for Regulated Entities to ensure their fulfillment of HIPAA’s Risk Analysis requirements to prevent and mitigate their legal, financial and operational exposures from breaches of electronic protected health information (“ePHI”) and to defend against a potential OCR Risk Analysis enforcement action or audit is demonstrated by OCR’s announcement of HIPAA Security Rule enforcement actions and settlements with Northeast Radiology, P.C. (NERAD) on April 10, 2025, and Guam Memorial Hospital Authority (“GMHA”) on April 17, 2025, the sixth and seventh under OCR’s recently announced HIPAA “Risk Analysis Initiative” .

Risk Analysis Longstanding HIPAA Requirement

The HIPAA Privacy, Security, and Breach Notification Rules require Regulated Entities to meet specific standards to protect the privacy and security of protected health information. Violation of these requirements exposes Regulated Entities to civil monetary penalties or even criminal penalties depending on the nature of the violation.

Since the HIPAA Security Rule first took effect, risk analysis is one of the four required implementation specifications Regulated Entities must meet under the Security Management Process standard in 45 CFR § 164.308.

To fulfill this Risk Analysis requirement, a Regulated Entity must conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.”

Additionally, in 45 CFR § 164.402 the HIPAA Breach Notification Rule requires a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. As consistently interpreted and applied by OCR, experiencing a breach or the existence of evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach triggers a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. As OCR Acting Director Anthony Archeval recently stated to explain OCR’s emphasis on Risk Analysis compliance and enforcement, “Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]” Consequently, OCR constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA. To promote compliance, OCR persistently has communicated the necessity and importance of the Risk Analysis in guidance and sought to reinforce the consequences of inadequate Risk Analysis by discussing the role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

OCR Raising Risk Analysis Expectations & Enforcement

Despite OCR’s constant and ever-rising efforts to promote compliance with the Risk Analysis requirements, however, OCR consistently has found deficiencies in Regulated Entities’ Risk Analysis in its breach investigations and audit findings since these rules became effective. As the number and magnitude of reported breaches of ePHI skyrocketing and massive breaches like those experienced in 2024 by UnitedHealthcare subsidiary Change Health, Ascension and others demonstrating the serious consequences ransomware and other cyberattacks can inflict on health care delivery, payment, and patient privacy, OCR is placing new emphasis on tightening both the requirements for Risk Analysis and its enforcement of compliance with the Risk Analysis requirements.

On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. With OCR’s announcement of the NERAD and GMHA enforcement actions on April 10 and April 17, respectively bringing to seven the number of Risk Analysis Initiative enforcement settlements in recent months, health care providers and other Regulated Entities should heed the schooling these and other similarly sanctioned organizations as a call to action to ensure their own Risk Analysis and other HIPAA Privacy, Security and Breach Rule compliance.

NERAD Enforcement Risk Analysis Initiative Enforcement Action & Settlement

The first of two Risk Analysis Initiative settlements announced in seven days in April and the sixth enforcement action and settlement specifically labeled as taken under the “Risk Analysis Initiative,” the NERAD enforcement action and settlement announced April 10, 2025 resolves liabilities for violation of the Risk Analysis Rule arising from OCR’s investigation of a breach of ePHI stored on NERAD’s Picture Archiving and Communication System (“PACS”) server for storing, retrieving, managing, and accessing radiology images.

OCR initiated its investigation of NERAD after receiving a NERAD breach report that between April 2019 and January 2020, unauthorized individuals accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.

To avoid potentially much greater HIPAA civil monetary penalties under the terms of the resolution agreement, NERAD paid OCR $350,000 and agreed to implement a corrective action plan that OCR will monitor for two years. Under the corrective action plan, NERAD will take steps to improve its compliance with the HIPAA Security Rule and protect the security of ePHI, including:

Conducting an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its Risk Analysis;
Developing and implementing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
Augmenting its existing HIPAA and security training program to all of its workforce members who have access to PHI.

Guam Memorial Hospital Authority Risk Assessment Initiative & Ransomware Enforcement Action

Seven days after announcing the NERAD Risk Analysis enforcement action and settlement, OCR reaffirmed its commitment to enforcement of the Risk Analysis enforcement when it announced its first HIPAA settlement under the new Trump Administration with GMHA, a public hospital on the U.S. Territory, island of Guam, on April 17, 2025.

The seventh Risk Analysis Initiative enforcement action and eleventh ransomware enforcement action announced by OCR, the GMHA settlement arose from OCR’s investigation of two complaints alleging that GMHA impermissibly allowed the disclosure of ePHI of GMHA patients. OCR originally initiated its investigation in response to a January 2019 complaint alleging that GMHA experienced a ransomware attack affecting the ePHI of approximately 5,000 individuals. During the investigation, OCR received another complaint in March 2023 alleging that hackers accessed patient records. OCR’s investigation determined that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI held by GMHA.

Under the terms of the resolution agreement, GMHA paid OCR $25,000 and agreed to implement a corrective action plan that OCR will monitor for three years. In the corrective action plan, GMHA must take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules;
Augment its existing HIPAA and security training program so all workforce members with access to PHI understand the HIPAA requirements and GMHA’s HIPAA policies and procedures;
Enhance workforce security and information access management by reviewing all access credentials that have been granted access to ePHI; and
Conduct breach risk assessments and provide evidence to OCR that all breach notification obligations have been conducted.

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

With cyberattacks targeting health care and other Regulated Entities soaring and OCR stepping up its scrutiny of Regulated Entities’ Risk Analysis compliance in audits and enforcement actions, each health care provider and other Regulated Entity should review and tighten its Risk Analysis practices and documentation to reduce its susceptibility to potential breaches and to promote its ability to defend its compliance with the Risk Analysis requirements in the event of a breach investigation or audit.

Fulfill Current Risk Analysis Standards

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities enforce appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to keep Risk Analysis documentation for six years, and to provide Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
Integrate Risk Analysis and risk management into the organization’s business processes.
Ensure that audit controls are in place to record and examine information system activity.
Implement regular reviews of information system activity.
Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
Incorporate lessons learned from incidents into the organization’s overall security management process.
Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Follow Proposed Rules & Enforcement Actions To Mitigate Risks

The proposed rule published by OCR on December 27, 2024, seeks to clarify and expand the original requirements of the Risk Assessment implementation standard based on OCR’s past HIPAA Security and Breach Rule investigation and enforcement experience. Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
- A review of the technology asset inventory and network map;
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
- An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
- A review of the technology asset inventory and network map.

Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:

To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
To implement written procedures for testing and revising written security incident response plans;
To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
To encrypt ePHI at rest and in transit, with limited exceptions;
To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
Use of multi-factor authentication, with limited exceptions;
Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
Network segmentation;
Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool. OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time. This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health care providers and other Regulated Entities should view Risk Analysis as a ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI. Although OCR has not yet officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Use Appropriate Process To Audit, Update & Strengthen Risk Defensibility

With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:

Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

Although civil monetary penalties or settlements are the most common sanction imposed for HIPAA Security and Breach Notification rule violations, willful and certain other violations of HIPAA can trigger criminal liability subject to the Federal Sentencing Guidelines. Consequently, beyond fulfilling the specific requirements of HIPAA, an adequate Risk Assessment also can be an invaluable tool for helping mitigate Federal Sentencing Guideline exposures of a Regulated Entity and its leaders under the Federal Sentencing Guidelines Organizational Liability rules.

Beyond these specific HIPAA-associated exposures, Regulated Entities and their leaders should keep in mind that HIPAA is likely only one of many laws that define their responsibilities to secure, report, and respond to breaches of ePHI or other sensitive data. Depending on the location, nature and other circumstances, Regulated Entities and their leaders also may have additional responsibilities and liability exposures under a variety of other federal and state laws, ethical or other professional standards, and contractual obligations. For instance, inadequate data safeguards for ePHI also can trigger liability under the Fair and Accurate Credit Transactions Act, the Federal Trade Commission Act, and various electronic crimes statutes. The Securities and Exchange Commission rules can trigger disclosure and other obligations for publicly traded hospital or other health care providers, insurers, or their business associates. Health care providers, payers and others are likely to face specific additional health care or insurance-specific licensing and ethics rules, as well as other confidential information privacy, cybersecurity and breach reporting obligations and liability under various state statutes and regulations. Regulated Entities and their leaders generally will want to fully evaluate and manage these risks in conjunction with their compliance with the Risk Analysis and other requirements of the HIPAA Security and Breach Notification Rules.

The author of this update, Cynthia Marcotte Stamer is nationally known and celebrated for her experience providing advice and representation to health care providers, health insurers, employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, third party administrators, human resources and health plan technology, and other businesses about HIPAA and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer works with these and other highly regulated or data and performance reliant businesses to design, risk manage, and defend their employment and other workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Additionally,more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Conditions of Participation, Health Care, Health Care Provider, Health Care Quality, Health Insurance Exchange, Health IT, home health, Mental Heatlh, OCR | Tagged: ai, Cyber Security, cybersecurity, Data Breach, Health Care, Health Care Provider, Health Plan, HIPAA, Hospital, OCR, Physician, Privacy, Risk Analysis, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

$11 Million False Claims Act Cybersecurity Settlement Reminds Health Plas HIPAA Isn’t Only Cyberbreach Exposure

March 17, 2025

The more than $11 million Health Net Federal Services Inc. (“HNFS”) and its corporate parent Centene Corporation, have agreed to pay under a settlement resolving claims that HNFS falsely certified compliance with cybersecurity requirements in a contract with the U.S. Department of Defense (“DoD”) reminds health industry organizations that Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is only one of many federal statutes under which their organizations and their leaders can incur liability for cybersecurity breaches or other deficiencies. As the HNFS settlement makes clear, for instance, HIPAA Entities and other businesses that violate conditions of participation or contractual requirements for federal program participation also risk potential significant liability for deficiency in their compliance with data security, privacy or other cybersecurity requirements of those programs.

HIPAA Important But Not Only Cyber Liability Risk For Health Industry Organizations

Most health care providers, health insurers and other health plans, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively, “HIPAA Entities”) recognize the importance of complying with the national standards for the protection of individuals’ electronic protected health information (“ePHI”) set forth in HIPAA Privacy, Security, and Breach Notification Rules (the “HIPAA” Rules”) to minimize or avoid painful civil monetary penalties or even criminal liability HIPAA authorizes for violations of HIPAA.

While the lengthy and growing list of HIPAA civil monetary penalties and resolution agreements obtained by the Department of Health and Human Services (“HHS”) Office of Civil Rights found to have violated the Security or other requirements of the HIPAA Rule shows the continued importance for HIPAA Entities to maintain HIPAA compliance, enforcement actions like the HNFS drive home that HIPAA Entities should not ignore other important cybersecurity obligations arising from the cybersecurity requirements created under terms of participation applicable to federal programs, or other applicable laws or statutes.

HNFS False Claims Act Cyber Liability Settlement

The HNFS enforcement action and settlement reveals False Claims Act liability as another significant cyber liability risk for health care providers, health care exchange insurers, Medicare Advantage, Medicaid Advantage, SCHIP, TRICARE and other military health, health technology, and other health industry organizations and their business associates and other subcontractors, who are government contractors or grant recipients.

The Justice Department previously has warned federal contractors that failing to fulfill or falsely certifying their compliance with required cybersecurity standards applicable to their contracts or programs could expose them to civil liability for violation of the False Claims Act^[1] (“FCA”). On October 6, 2021, then Deputy Attorney General Lisa O. Monaco announced a Civil Cyber-Fraud Initiative would use the FAC to hold accountable government contractors and grant recipients that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches applicable to their federal contracts or programs.

To violate the FCA, the government contractor or other accused person must have submitted, or caused the submission of, the false claim or made a false statement or record with knowledge of the falsity. Under Section 3729(b)(1), knowledge of false information is defined as being (1) actual knowledge, (2) deliberate ignorance of the truth or falsity of the information, or (3) reckless disregard of the truth or falsity of the information.

The Department of Justice obtained more than $2.9 billion in settlements and judgments from civil cases involving fraud and false claims against the government in the fiscal year ending Sept. 30, 2024. Under the FCA, government contractors or other persons violating the FCA generally are liable to pay the United States three times the government’s damages plus a penalty that is linked to inflation for knowingly submitting or causing another to submit a false claim to the government; making a false record or statement to get a false claim paid by the government; acting improperly to avoid having to pay money to the government; or conspiring to violate the FCA. In addition to allowing the United States to pursue FCA violations on its own, the FCA allows private citizens to file “qui tam” suits on behalf of the government against violators of the FCA. Private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery. Many Justice Department FCA and other fraud investigations and lawsuits arise from such qui tam actions.

While the Justice Department’s announcement of the HNFS settlement did not expressly reference the Civil Cyber-Fraud Initiative, the action and statements made by Justice Department officials in connection with its announcement reflect that the Justice Department remains committed to using the False Claims Act to hold federal government health care and other contractors, subcontractors, and grant recipients accountable for failing to comply with applicable federal cybersecurity requirements.

Beginning in 2010, HNFS contracted with the DOD to provide managed healthcare support services for the TRICARE program in approximately 22 states. The support services included administrative support services, provider network development, referral management, enrollment support, and claims processing services. In 2016, Centene succeeded to these contractual obligations when it acquired all of the shares of Health Net Inc., HNFS’s corporate parent, and assumed the liabilities of HNFS. Consistent with applicable conditions for participation in the program, HNFS’s contract with the DOD required HNFS to comply with DOD data security and privacy requirements and to periodically certify that compliance.

The TRICARE contract required HNFS to “provide information management and information technology support as needed to accomplish the stated functional and operational requirements of the TRICARE program” and to adhere to certain privacy standards and cybersecurity requirements, including but not limited to 48 C.F.R. § 252.204-7012 and 51 security controls listed in the National Institute of
Standards and Technology Special Publication 800-53 (NIST 800-53), Security and Privacy Controls for Information Systems, Revision 4. The annual certification requirement included in the contract also required HNFS annually to certify both compliance with the standards and “that the security controls required by the contract are implemented correctly, operating as intended, and support the security policies of the Defense Health Agency.”

The settlement resolves DOD and Justice Department allegations that, between 2015 and 2018, HNFS failed to provide the cybersecurity controls required under its contract. Specifically, Justice Department charged that:

HNFS failed to timely scan for known vulnerabilities and remedy security flaws on its networks and systems, in accordance with its System Security Plan and response times established by HNFS;
HNFS ignored reports from third-party security auditors and its internal audit department of cybersecurity risks on HNFS’ networks and systems related to asset management; access controls; configuration settings; firewalls; end-of-life hardware and software in use; patch management (i.e., installing critical security updates released by vendors to counter known threats); vulnerability scanning; and password policies; and
HNFS falsely attested to DHA that it was in compliance with at least seven of the NIST 800-53 security controls listed in the NIST Compliance Certifications when it submitted those certifications to DHA

The Justice Department and DOD also charged HNFS with falsely certifying compliance with these controls in annual reports to DHA that were required under its contract to administer the TRICARE program.

As a result of these deficiencies, the Justice Department and Department of Defense claimed that HNFS’ claims for reimbursement under the Tricare contract were false, regardless of whether there was any exfiltration or loss of servicemember data or protected health information.

To resolve the alleged False Claims Act liability asserted by the government, HNFS and Centene Corporation agreed to pay $11,253,400 to the Department of Justice. The settlement agreement also expressly reserves the United States’ right to pursue any criminal charges arising from the conduct and limits HNFS and Centene from raising the settlement as a bar to any such criminal charges.

Statements made by Justice Department officials in its announcement of the HNFS settlement signal that the Justice Department remains committed to using the False Claims Act to hold government contractors and other recipients of federal funds accountable for failing to comply with cybersecurity requirements of their contracts.

The press release announcing the settlement quotes Acting Assistant Attorney General Brett A. Shumate, head of the Justice Department’s Civil Division as warning, “We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security.”

Meanwhile, Cyber Field Office Special Agent in Charge Kenneth DeChellis of the Defense Criminal Investigative Service (DCIS), the law enforcement arm of the DoD Office of Inspector General also is quoted as stating, “DCIS will not be deterred from investigating contractors that fail to comply with federal cybersecurity requirements and risk exposing protected information vulnerable to criminal hackers. The U.S. taxpayers who fund these government contracts expect no less.”

Taken together with the HNFS enforcement action and resulting settlement, these statements provide a strong warning for health industry and other government contractors that their failure to comply with cybersecurity requirements in their federal contracts or grants could lead to prosecution under the False Claims Act in addition to otherwise applicable liabilities arising under HIPAA or other federal or state laws. Accordingly, health care organizations; Medicare, Medicaid, SCHIP, TRICARE and Federal Health Insurance Exchange program contractors; and other federal government contractors, subcontractors and grant recipients also should ensure their ability to defend their ongoing compliance with any data security, privacy or other federal cybersecurity requirements to guard against potential False Claims Act liability for noncompliance with these contractual responsibilities.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers, Medicare and Medicaid Advantage and other public and private health plans and plan sponsors, government contractors and grant recipients, and their technology, data, third party administrators, and other managed care and other health care, defense, technology, life sciences and other clients about HIPAA and other protected health information, trade secret, personal information and other cybersecurity and other data and systems use, protection, andthese and other federal and state program design, contracting, quality, technology, reimbursement, licensing and accreditation, compliance, enforcement, governmental affairs, dispute resolution, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

Ms. Stamer’s work throughout her career has focused heavily on working with health care, health insurance and managed care, insurance and financial services, defense contractors, and other workforce and data sensitive businesses domestically and internationally on employment, benefits, data and other knowledge use and protection, Federal Sentencing Guidelines and other workforce and heath care management, internal and operational controls, regulatory and public policy and other legal and operational concerns. As a part of this work, she has had extensive involvement in the design, enforcement, investigation, mitigation and defense of trade secret and other information privacy and confidentiality, HRIS, claims, electronic medical records, payment, and other systems and technologies; HIPAA and other health industry, DOD, FACTA, GLB, EU, and other data privacy and security, trade secret and other confidential information; and other information privacy and security laws, policies, practices, contracts and requirements.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

[1]31 U.S.C. §§ 3729 – 3733.

Leave a Comment » | CHIP, Cyber crime, data breach, data security, Department of Defense, DOD, false claims act, Government contractor, Grant recipients, Health Care, Heath Care Exchange, HHS, HIPAA Cyber Crime, Medicaid Advantage, Medicare Advantage, TRICARE | Tagged: cybersecurity, Health Care, Health Care Fraud, healthcare, HIPAA, Hospital, Medicare, Physician, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

HHS Issues Southern California Fire Public Health Emergency Disaster Relief

January 10, 2025

Health care providers, health plans and insurers, child care facilities, schools and other Southern California organizations impacted by the California fires that are regulated by the Department of Health and Human Services (“HHS”) may qualify for temporary waivers or modification of certain HHS regulatory obligations under the Declarations of a Public Health Emergency (“PHE”) published by HHS today.

The relief provided by the PHE includes:

An extensive list of resources and guidance to help health plans, health care providers and others to understand and cope with HHS requirements in disaster or other emergency situations such as:

For information about how the HIPAA Privacy Rule applies in a public health emergency, visit the OCR’S HIPAA Emergency Preparedness, Planning, and Response page (www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html) or you may use the HIPAA Disclosures for Emergency Preparedness Decision Tool (www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/decision-tool-overview/index.html).
For information and resources for emergency responders/officials to help ensure individuals have equal access to emergency services, including language access and effective communication, please see this checklist for emergency responders: HHS OCR Emergency Preparedness Checklist for Ensuring Language Access and Effective Communication (www.hhs.gov/sites/default/files/lang-access-and-effective-comm-checklist-for-emergency-responders.pdf).
For information about emergency requirements for long-term care facilities, visit the CMS Emergency Preparedness Rule page (www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertEmergPrep/Emergency-Prep-Rule.html)

Health care providers and other HHS regulated entities impacted by the fire or other disasters should carefully review this guidance to understand the scope and availability of the current relief. Additionally, health care providers, health plans, health care providers, business associates and other HHS-regulated entities not currently impacted by today’s or another public health emergency declaration should keep in mind that they likely are subject to HHS and other regulatory, statutory, common law, or ethical obligations to make advance arrangements to prepare in advance to deal with responsibilities during a disaster. Accordingly, providers and others not currently affected by the current disaster should heed the reminder from the disaster to reconfirm before they are impacted by a disaster the adequacy of their own policies, plans and arrangements to provide for their continued ability to fulfill HHS regulatory and other obligations in the event of a disaster.

Health care providers and other HHS-regulated entities planning to rely upon the PHE relief should keep in mind the limited duration and scope of the relief provided by this PHE or any other HHS public health emergency declaration. Entities planning to rely on the PHE relief must review the scope, conditions and duration requirements and ensure their ability to defend their continued compliance taking into account these limited waivers and modifications.

Also, the PHE guidance documents are not a final agency action, do not legally bind persons or entities outside the Federal government, and may be rescinded or modified at the Department’s discretion. Noncompliance with any voluntary standards (e.g., recommended practices) contained in these documents will not, in itself, result in any enforcement action.

Furthermore, health care providers, health plans and insurers, and other HHS regulated entities typically face a myriad of responsibilities beyond those imposed by the HHS under various federal and state laws, other agency regulations, contracts, common law and ethical or other standards or rules. Consequently, providers and other HHS entities intending to rely on the HHS PHE also should check other agencies disaster declaration webpages to determine what additional relief from other agency requirements, if any, their organization may qualify as a result of the disaster. Except to the extent covered by other declared disaster relief, coverage by or compliance with the HHS PHE guidance and policies typically provide no protection against liability for failure to fulfill duties or responsibilities under these other laws, regulations or standards or beyond the specific relief granted in the HHS PHE. Accordingly, entities impacted by the fire or another disaster are urged to take necessary steps before, during and after any disaster to position themselves to demonstrate fulfillment of duties and mitigate the seriousness of any alleged deficiencies in their compliance.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications including leading-edge work on crisis preparedness, response and recovery.

Author of many highly regarded compliance and risk management tools, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Health Care | Tagged: California FIres, Disaster, Health, Health Caer, Health Care, Health Care Fraud, Health Care Provider, healthcare, HIPAA, Medicare, Physician, Privacy, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

2025 Surprise Billing Fees Unchanged But Clear Cache Weekly To Avoid Missing Form Updates

December 27, 2024

2025 federal surprise billing Prevent Errors & Delays independent dispute resolution fees applicable to health care providers, health plans, and health insurers will remain are holding steady.

On December 27, 2024, the Department of Health and Human Services (“HHS”), the Department of Labor (“DOL”), and the Department of the Treasury (collectively, the “Departments”) updated the No Surprises Act (NSA) website to reflect updated certified IDR entity fees in accordance with the Federal Independent Dispute Resolution (IDR) Process Administrative Fee and Certified IDR Entity Fee Ranges Final Rule (IDR Fees Final Rule).

The IDR Fees Final Rule, effective as of January 22, 2024, set forth the 2024 IDR entity fee ranges. The Departments announced these fees will remain unchanged for 2025.

The 2025 IDR entity fees now published on the NSA website are effective for disputes initiated on or after January 1, 2025. For these disputes, the administrative fee amount is $115 per party per dispute, and the certified IDR entity fee ranges are $200-$840 for single determinations and $268-$1,173 for batched determinations. The website now includes information on the fee set by each certified IDR entity within these ranges.

Along with confirming the 2025 fees, the Departments caution plans and providers to monitor the website for updates to the IDR web form to accommodate guidance-related and system enhancements. The Departments ask plans and providers who have initiated an IDR dispute previously, to clear their computer’s cache or open the IDR initiation web form in a private or incognito window at least once a week to see all the new features. The Departments warn to clear the cache or open this form in private/incognito mode could result in additional follow-up with certified IDR entities or system errors.

For More Information

About the Author

Ms. Stamer’s work throughout her career has focused heavily on working with businesses domestically and internationally on employment, benefits, Federal Sentencing Guidelines and other workforce management, regulatory and public policy and other legal and operational concerns.

Author of many highly regarded compliance, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | air ambulance, ambulance, Ambulatory care, Corporate Compliance, Direct Primary Care, Emergency Care, Employee Benefits, Employer, ERISA, exchange plans, Fiduciary Responsibility, Health Care, Health Care Finance, Health Care Provider, health care reimbursement, Health Insurance, Health Insurance Exchange, Health Plan, Health Plans, healthcare, Hospital, Hospital, hospitals, managed care, participating provider, Physician, Provider contracting, Reimbursement, surprise billing | Tagged: Corporate Compliance, Doctor, Employer, Health Care, Health Care Provider, Health Care Reimbursement, Health Insurance, Health Plan, Health Plans, Hospital, Hospitals, Physician, Physicians, solutionslawyer, surprise billing | Permalink
Posted by Cynthia Marcotte Stamer

Providers & Health Plans Warned To Timely Deliver Requested Records By $100,000 HIPAA Penalty

November 21, 2024

The $100,000 penalty paid by a mental health facility alerts health care providers, health plans and health care clearinghouses (“covered entities”) to the perils of failing to timely deliver health records access as required by the Health Insurance Portability and Accountability Act (“HIPAA”).

The $100,000 civil monetary penalty against California mental health provider Rio Hondo Community Mental Health Center (“Rio Hondo”) announced by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) on October 19, 202 is the fifty-first OCR enforcement action under its HIPAA Right of Access enforcement initiative.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules’ right of access provisions generally require covered entities to provide individuals access to their protected health information within 30 days, with the possibility of one 30-day extension and prohibits charging more than a reasonable, cost-based fee for this access.

The penalty against Rio Hondo resolves an OCR investigation into Rio Hondo over a failure to provide a patient with timely access to their medical records. OCR enforces the right of access and other requirements of the HIPAA Privacy Rule.

OCR launched an investigation after receiving a complaint from a patient that Rio Hondo did not provide timely access to their medical records, despite multiple requests in writing and by telephone.

OCR’s investigation found that it took nearly seven months from the time the patient first requested the records until Rio Hondo provided them.

The patient made multiple telephone calls in July and August 2020, regarding the status of her request, but still did not receive the requested records until it produced the records in response to the investigation.

The late delivery of the records access did not end the enforcement action. Based on the facts, OCR found that Rio Hondo failed to take timely action in response to the patient’s right of access in accordance with the HIPAA Privacy Rule.

In July 2024, OCR issued a Notice of Proposed Determination to impose a $100,000 civil monetary penalty. After Rio Hondo waived its right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination, OCR issued a Notice of Final Determination imposing the penalty.

OCR’s announcement of the penalty includes a strong warning to other covered entities to comply with HIPAA’s access requirements. It quotes OCR Director Melanie Fontes Rainer. As stating:

Ensuring patients’ rights to timely access to medical information continues to be a HIPAA enforcement priority. Healthcare providers are legally obligated to provide patients with timely access to their medical records. If they fail to provide that access, OCR will not hesitate to do everything in its power, including imposing civil monetary penalties, to ensure compliance with the law.”

With OCR promising to continue to prioritize enforcement, all covered entities should take documented steps to confirm the adequacy of their existing processes to ensure compliance with OCR’s Right of Access guidance and other applicable federal and state legal and ethical requirements like the Employee Retirement Income Security Act (“ERISA”) claims and appeals and Patient Protection and Affordable Care Act (“ACA”) adverse benefit procedures applicable to health plans and State ethical and statutory medical records delivery requirements applicable to providers. Health care providers also should consider including processes for tracking and monitoring access requests in these processes that provide for review every 30 days.Covered entities should keep records of these efforts for the six-year period required by HIPAA’s record retention rules.

Covered entities that receive follow up access requests or otherwise discover a potential failure to timely provide access should engage a HIPAA knowledgeable attorney for help and advice. Obviously, covered entities should correct any oversight promptly by delivering the records access. However legal counsel can assist by helping the covered entity assess if a violation actually occurred, avoid added violations or inflammatory communications or actions that could enhance exposures to complaints or penalties and suggest actions to help mitigate risks of an OCR investigation and penalties. For instance, past enforcement actions suggest a covered entity should consider foregoing requiring payment of charges HIPAA otherwise might allow for the records access to avoid further delay of access that could heighten penalty exposures. Covered entities also should document their delivery of access and their investigation and corrective actions addressing the source of the compliance failure.

The author of this update, Cynthia Marcotte Stamer has worked extensively with covered entities and business associates on these and other HIPAA and other compliance and risk management. If you have questions or need advice or help evaluating or addressing your HIPAA compliance or other concerns, contact her.

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

Author of numerous highly regarded works on PBM and other health plan contracting and design, Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Author of many highly regarded compliance, training and other resources on HIPAA and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership on HIPAA and many other health care, health plan and other health industry matters.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Health Care | Tagged: Health Care Compliance, Health Care Provider, health care. OCR, Health Plans, HIPAA, Hospital, Medical Records, Physician, Privacy, Right of Access | Permalink
Posted by Cynthia Marcotte Stamer

New Electronic Process For Partial QPs In CMS Quality Payment Program Coming In January

November 13, 2024

The Centers for Medicare & Medicaid Services (CMS) announced a new electronic process for the election of Partial Qualifying Alternative Payment Model (APM) Participants (Partial QPs) to participate in the Merit-based Incentive Payment System (MIPS) will open January 2, 2025.

Historically, the election for Partial QP clinicians to participate in MIPS has been done by completing the Partial QP election form and emailing it to the Quality Payment Program (QPP) Help Desk. 

This process will no longer exist starting in calendar year (CY) 2025. Instead, the new, direct process through the QPP online application will replace the old process.

CMS is incorporating the Partial QP election process into the online QPP application opening to submissions open on January 2, 2025. The submission window closes on March 31, 2025.

If you have questions or need advice or help evaluating or addressing these or other concerns, contact the author of this update, Cynthia Marcotte Stamer.o

For More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

Author of numerous highly regarded works on PBM and other health plan contracting and design, Immediate Past Chair of the ABA International Section Life Sciences Committee and Chair Emeritus of the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

Author of publications on “Transparent PBM Contracting,” “ACOs, Direct Contracting: Legal & Practical Challenges For Employers, Providers & TPAs,” “The Medicare Advantage Contracting Manual,” “Third Party Administrator (TPA) Contracting Principles and Strategies and a multitude of other highly regarded publications and presentations, Stamer is widely recognized for her thought leadership on PBM and other managed care and health plan contracting and design, and a multitude of other health care, health plan and other health industry matters. In addition, Ms. Stamer contributes her time and leadership to numerous policy, professional, civil and other organizations including service as the, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Leave a Comment » | Health Care | Tagged: Health Care, Health Care Compliance, health care quality, Hospital, Medicaid, Medicare, Physician, Physicians, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

Intrepid Pays $3.85 Million To Settle Hospice & Home Health False Claims Act Charges

August 21, 2024

Texas-based Intrepid U.S.A. Inc. and various wholly-owned subsidiaries (“Intrepid”) will $3,850,000 to resolve allegations that Intrepid violated the False Claims Act in two lines of its business, home health and hospice.

The Settlement resolves government charges that Intrepid:

Knowingly submitted claims to Medicare for home healthcare services for patients who did not qualify for the Medicare home healthcare benefit or where services otherwise did not qualify for Medicare reimbursement; and
Knowingly submitted claims to Medicare for patients who did not qualify for the hospice benefit.

The United States alleged that, between 2016 and 2021, 19 Intrepid home healthcare facilities submitted claims to Medicare for home healthcare services for patients who did not qualify or were not properly certified as eligible for the Medicare home healthcare benefit, where the services provided were not reasonable or medically necessary, where the services were provided by untrained staff, or where services were not performed.

Separately, the United States alleged that, between 2016 and 2021, three Intrepid hospice facilities admitted patients to hospice care who were ineligible for the Medicare hospice benefit because they were not terminally ill or continued providing services to patients who should have been discharged because they no longer met the requirements for the Medicare hospice benefit.

These charges resulted from and resolves claims brought under the qui tam or whistleblower provisions of the False Claims Act in two different lawsuits. One qui tam action was brought by Jennifer Jones, a former travel nurse, and Pamela Joffe, a former Director of Quality Assessment Performance Improvement and New Business Development, for Intrepid. The qui tam case is captioned U.S. ex rel. Jones v. Intrepid USA Healthcare Inc., No. 19-sc-2973 (D. Minn.). The second qui tam action was brought by Marsha Rigney, a former Director of Clinical Excellence and Integrity, and Janet Watts, a former Regional Manager of Clinical Excellence, for Intrepid. This qui tam case is captioned U.S. ex rel. Rigney v. Intrepid U.S.A. Inc., No. 3:20-cv-95-RGJ (WDKY). Under the provisions of the False Claims Act, a private party can file an action on behalf of the United States and receive a portion of any recovery. Relators Jones and Joffe will receive $333,985 from the settlement proceeds, and Relators Rigney and Watts will receive $359,014 from the settlement proceeds.

The settlement amount is based on Intrepid’s ability to pay.

Following previous high dollar hospice and home health settlements like the $125 million plus settlement with Kindred Healthcare, Inc. announced last month, the Settlement reflects federal continued scrutiny of hospice, home health and long term care providers.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Cynthia Marcotte Stamer has extensive experience advising and defending health care and life sciences, health plans and insurers, their business associates about False Claims and other billing and other compliance, risk management, operational and legislative and regulatory affairs concerns.

A Fellow in the American College of Employee Benefit Counsel, Immediate Past Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Immediate Past Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Past Group Chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee; and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership advising healthcare and life sciences, managed care and other insurance and employer-sponsored health benefit, technology, and other highly regulated and data dependent clients about health care and other regulatory, workforce and staffing, health and other employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending health care fraud; HIPAA, FACTA, GDPR, GLB, and other privacy, data security and information protection and breach; EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state compliance, investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state health care, privacy, data breach and security, employment, employee benefits and insurance, equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Leave a Comment » | Health Care | Tagged: false claims act, Health Care Fraud, home health, Hospice, Hospital, Medicare, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Doctor’s Conviction Illustrates Advisability For Physicians To Know & Follow Federal Health Care Fraud Rules

April 5, 2024

Resources Summarize Key Health Care Fraud Rules

Physician health care fraud prosecutions and convictions of physicians like Arizona physician Linh Cao Nguyen, M.D. drive home the need for all physicians to ensure their understanding and ability to defend their compliance with federal and state healthcare fraud laws. This includes, but it’s not limited to proper coding and billing for the use of mid-level in the delivery of care. Physicians and other prescribers should review a recently released resource to get a basic overview of these federal healthcare fraud rules.

Nguyen Health Care Fraud Plea For Billing Delegated Care As Physician Provided

One of literally thousands of physicians and other prescribers prosecuted by federal prosecutors for health care fraud, Nguyen pleaded guilty on March 19, 2024, to Health Care Fraud. Nguyen’s sentencing is scheduled for May 28, 2024, before United States District Judge John C. Hinderaker.

Nguyen admitted that for years, he engaged in a scheme to defraud various health care benefit programs, including Medicare, TRICARE, AHCCCS, Blue Cross Blue Shield, and UnitedHealthcare.

Court documents charged the fraudulent claims generally identified a medical doctor as the treating provider when, in fact, another provider such as a nurse practitioner, social worker, unlicensed psychology intern, or wound care nurse provided the service independently. By billing the medical service as if it were provided by a physician, Nguyen falsely inflated the amount his company was to be paid for the service.

Through these prohibited practices, Nguyen confessed to knowingly causing submission of thousands of false billing claims.Nguyen falsely created patient records to conceal and avoid detection of his fraudulent billing scheme.

Nguyen admitted the loss he caused was at least $3.7 million dollars. He agreed to pay restitution to the private insurance companies totaling over $1 million.

A conviction for Health Care Fraud carries a maximum penalty of 10 years in prison and a $250,000 fine.

Learn Basics From HHS Physician Health Care Fraud & Abuse Educational Resources

Along with ensuring that billing for care properly reflects the identity and legal capacity of the caregiver, physicians also have to negotiate a number of other federal healthcare laws.

The Department of Health and Human Services (“HHS”) Office of Inspector General (OIG) has created the educational materials listed below to assist in teaching physicians about the Federal laws designed to protect the Medicare and Medicaid programs and program beneficiaries from fraud, waste, and abuse:

A Roadmap for New Physicians (PDF), which is a booklet for physicians’ self-study;
A companion PowerPoint presentation; and
The speaker note set that accompanies the PowerPoint and a narration of the speaker notes to accompany the PowerPoint slides.

The presentation summarizes the five main Federal fraud and abuse laws (the False Claims Act, the Anti-Kickback Statute, the Stark Law, the Exclusion Statute, and the Civil Monetary Penalties Law) and provide tips on how physicians should comply with these laws in their relationships with payers (e.g., the Medicare and Medicaid programs), vendors (e.g., drug, biologic, and medical device companies), and fellow providers (e.g., hospitals, nursing homes, and physician colleagues).

Physicians and another prescribers are encouraged to use these resources to help build their awareness of these rules as they relate to their practices. If any questions exist, physicians are encouraged to seek the advice of legal counsel to confirm their compliance.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters, contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of employee benefit, managed care and other health and insurance industry, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE

Leave a Comment » | Health Care | Tagged: false claims act, Health Care, Health Care Fraud, Health Plans, Hospital, Medicaid, Medicare, Physician, Physicians | Permalink
Posted by Cynthia Marcotte Stamer

April Is National Minority Health Month

April 1, 2024

April is National Minority Health Month, a time to emphasize the importance of improving health care in racial and ethnic minority communities.

Health disparities undermine the health of impacted communities, drive up government, employer, insurer and community health and disability costs, and create needless suffering.

While different organizations and studies use different definitions, health and health care disparities generally refer to differences in health and health care between groups that stem from broader inequities.

The Centers for Disease Control and Prevention (CDC) defines health disparities as “preventable differences in the burden, disease, injury, violence, or in opportunities to achieve optimal health experienced by socially disadvantaged racial, ethnic, and other population groups and communities.”

Healthy People 2030 defines a health disparity, as “a particular type of health difference that is linked with social, economic, and/or environmental disadvantage,” and that adversely affects groups of people who have systematically experienced greater obstacles to health.

The Kaiser Family Foundation reports that although health care is essential to health, research shows that health outcomes are driven by multiple factors, including underlying genetics, health behaviors, social and environmental factors, and access to health care.

While there is currently no consensus in the research on the magnitude of the relative contributions of each of these factors to health, studies suggest that health behaviors and social and economic factors, often referred to as social determinants of health, are the primary drivers of health outcomes and that social and economic factors shape individuals’ health behaviors. Moreover, racism negatively affects mental and physical health both directly and by creating inequities across the social determinants of health.

Helping to reduce health disparities begins with increasing awareness about health disparities that disproportionately impact people from historically marginalized communities, and by sharing resources to help.

Minority and underserved communities often face greater health care challenges including limited access to care, higher rates of chronic conditions, and worse health outcomes, as well as stigma and discrimination in health care settings. For example:

Black people are 30 percent more likely to die from heart disease, 50 percent more likely to have a stroke, and 30 percent more likely to have asthma.
Compared to non-Hispanic White persons, Hispanic individuals are 70 percent more likely to be diagnosed with diabetes by a physician and 1.2 times more likely to be obese.

Sometimes disparities are not from disease or actual care but arise from differences between groups in health insurance coverage, affordability, access to and use of care, and quality of care.

Help bring awareness to the health disparities impacting these diverse communities by sharing and making available the following responses from the Center for Medicare & Medicaid Services:

For Additional Information

About the Author

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Health Care | Tagged: Health Care, Health Care Fraud, Health Care Provider, health equity, Medicaid, national minority health month, pharmacy, Physician | Permalink
Posted by Cynthia Marcotte Stamer

UHG Shares Resumption Timeline For Products Disrupted By Cyberattack

March 25, 2024

UnitedHealthcare Group (UHG) plans to resume certain key health benefit and payment function this week that it turned off in response to a February 21, 2024 cyberattack.

Health care providers and their billing and other service providers may find these updates helpful to their efforts to respond with ongoing payment and other disruptions as well as to fulfill their own Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, state contract, prompt pay and other duties to health care providers or other responsibilities in response to disruptions created by UHG’s Blackcat1234 ransomware attack subsidiary Change Healthcare.

UHG Attack

On February 21, 2024, a ransomware attack executed by the Blackcat1234 ransomware group took control of and shut down the payment, revenue cycle management and related tools and systems of UHG Subsidiary Change Healthcare. Well-known for stealing sensitive data and demanding ransom for not publishing it, and other public and private cybersecurity monitoring and tracking organizations have warned heath care and other system operators to guard against Blackcat1234 and related ransomware attack risks since at least 2022. See, e.g., #StopRansomware: ALPHV Blackcat | CISA.

The Choice Health shutdown resulting from the Blackcat1234 ransomware attack has created widespread disruptions to key care authorization, billing and other pharmacy, provider and other plan and provider transactions within health care and health benefit systems nationwide due to the widespread use of the Choice Health tools. Among other things:

Due to the widespread use of the Change Healthcare tools and systems as a financial clearinghouse for connecting pharmacy benefit managers, health care providers, and other key plays and health plans throughout the health care and health benefits industry, the attack has and continues to disrupt key billing, care-authorization, payment and other transactions between health care payers and pharmacies, physicians and other health care providers and health care payers and their partners across the health care industry.

The resulting shutdown and disruption to electronic payment and medical claims systems incorporating the compromised Change Healthcare tools create various legal and operational headaches for many health plans and other health care payers by preventing or obstructing the submission and processing of health care claims and other transactions between health care providers and health plans.

While UHG works to remediate and restore the operability and security of the Choice Health tools and systems, health plans, and insurers, their fiduciaries, plan sponsors, and fiduciaries should take timely and prudent steps in response to the breach and resulting disruptions to mitigate the exposure of their health plans, and themselves under HIPAA and ERISA. See Manage Health Plan HIPAA, ERISA & Other Exposures From Change Healthcare Ransomware Attack.

Timeline

In its Product Restoration Timeline posted on a UHG website, UhG projects the following timeline for restoration of the following systems:

Week of 3/25

Eligibility Processing: Processes real-time transactions
Clearance: Benefits verification and authorization determination
MedRX: Pharmacy electronic claims for medical
Reimbursement Manager: Claim pricing
Coverage Insight: Coverage discovery

Week of 4/1

Clinical Exchange: Provider workflow enabling electronic prescribing, ordering and resulting integrated into EHR’s
Payer Connectivity Services (PCS): EDI validation and editing
Hosted Payer Services (HPS): Payer hosting service for eligibility responses to providers
Acuity / Pulse: Acuity provides revenue cycle analytics for users of Clearance and Assurance; Pulse provides RCM KPI benchmarks for institutional claims utilizing Assurance client data

Week of 4/8

Risk Manager: Supports clients in managing value-based payment contracts.
Health QX: Retrospective episode-base payment models

No Guarantees

The UHG website warns these dates are projections based on available information. Products will go through a phased reconnection process, including launch, testing and scaled reconnection. The timeline may change as UHG learns more.

Unlisted Services

The Timeline currently does not list all products and services. The UHG website states that the absence of a product from the schedule does not mean that product is more than three weeks away from resumption. Rather, it means that UHG does not yet have line of sight to the week that it expects to restore it. UHG plans to provide updated information as those timelines become clear.

For specific product updates, UHG invites interested persons to subscribe to the products of interest here.

Restoration Webinars

UHG also has shared the following series of webinary providing more information about its restoration efforts:

Other Assistance

UHG also has announced the availability of finding assistance for providers adversely impacted by payment disruptions relating to the attack.

Health care providers can watch a video to learn more about this program and the process check eligibility on the UHG website.

For Additional Information

About the Author

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Health Care | Tagged: Corporate Compliance, Data Security, Health Care, Health Care Provider, Health Plans, HIPAA, Hospital, Hospitals, licensure, Medicaid, Medicare, pain management, pharmacist, pharmacy, Physician, Physicians, Prescription Drugs, Privacy, Reimbursement, UnitedHealth breach | Permalink
Posted by Cynthia Marcotte Stamer

OCR Nails Second HIPAA Covered For Allowing Ransomware Breach

February 23, 2024

Health care providers, health plans, health care clearinghouses and their business associates (covered entities) that fail to appropriately safeguard their protected health information and systems against randomware and other malware threats as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) should expect to pay hefty amounts to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) if an attack occurs. That is the clear message sent by OCR’s February 22, 2022 announcement of its second ransomware settlement since October, 2023.

Duty To Guard Against Malware

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (most health care providers, health plans, and health care clearinghouses) and their business associates must follow to protect the privacy and security of protected health information.

Ransomware and hacking are the primary cyber-threats in health care. A type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid, OCR has seen large breaches affecting more than 500 individuals reported to OCR involving hacking increase 256% and those from ransomware increase 264% increase over the past five years,

In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.

In light of the growing threat, OCR is prioritizing enforcement, education and compliance outreach to HIPAA covered entities.

OCR’s February 22, 2024 announcement of its second ever and second settlement of a malware related enforcement action in less than five months demonstrates OCR’s readiness to hold covered entities accountable for failing to fulfill this responsibility.

Green Ridge Ransomeware Breach

OCR’s February 22, 2022 announcement of its second ever ransomware related resolution agreement and corrective action plan reaffirms OCR’s readiness to hold covered entities accountable for failing to guard against ransomware and other cyber risks.

Green Ridge Behavioral Health, LLC, (Green Ridge), a Maryland-based practice that provides psychiatric evaluations, medication management, and psychotherapy. This marks the second settlement that OCR has reached with a HIPAA regulated entity for potential violations identified during an investigation following a ransomware attack.

The settlement resolves an investigation following a ransomware attack that affected the protected health information of more than 14,000 individuals.

OCR learned of the breach after Green Ridge filed a breach report with OCR in February 2019 that stated that its network server had been infected with ransomware resulting in the encryption of company files and the electronic health records of all patients.

In keeping with its policy of investigating all breaches affecting more that 500 individuals (large breaches), OCR opened an investigation in April, 2019.

OCR’s investigation of the breach found evidence of potential violations of the HIPAA Privacy and Security Rules leading up to and at the time of the breach. Other findings included that Green Ridge Behavioral Health failed to:

Have in place an accurate and through analysis to determine the potential risks and vulnerabilities to electronic protected health information;
Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level; and
Have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack.

Under the terms of the settlement, Green Ridge agreed to pay $40,000 and implement a corrective action plan that will be monitored by OCR for three years to avoid exposure to potentially much greater HIPAA monetary penalties.

The plan also requires Green Ridge to take many actions to resolve potential HIPAA violations and to protect electronic protected health information, including:

Conducting a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information;
Designing a Risk Management Plan to address and mitigate security risks and vulnerabilities found in the Risk Analysis;
Reviewing, and as necessary, developing, or revising its written policies and procedures to comply with the HIPAA Rules;
Providing workforce training on HIPAA policies and procedures;
Conducting an audit of all third-party arrangements to ensure appropriate business associate agreements are in place, where applicable; and
Reporting to OCR when workforce members fail to comply with HIPAA.

First Malware Settlement

Prior to this week’s announcement of the Green Ridge resolution agreement, OCR already had announced its first ever malware related resolution agreement on October 31, 2023.

That $100,000 settlement resolved a potentially much greater HIPAA liability business associate Doctors’ Management Services (DMS) could have faced for alleged HIPAA violations OCR found investigating a large breach report DMS filed on April 22, 2019.

The DMS breach report disclosed that a ransomware attack affected DMS’ network server with GandCrab ransomware beginning with an initial unauthorized access to the network that occurred on April 1, 2017; however, DMS did not detect the intrusion until December 24, 2018, Once the DNS system was accessed, ransomware was used to encrypt their files. The attack affected the electronic protected health information of 206,695 individuals

OCR’s investigation of the DNS breach found evidence of potential failures by DMS to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.

Under the terms of the DMS settlement agreement paid $100,000 to OCR and agreed to implement a corrective action plan that requires:

DMS to submit to OCR monitoring for three years to ensure compliance with HIPAA
Review and update its Risk Analysis to identify the potential risks and vulnerabilities to Doctor’s Management Services data to protect the confidentiality, integrity, and availability of electronic protected health information.
Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
Provide workforce training on HIPAA policies and procedures.

Warning To All Covered Entities

Along with announcing the two recent resolution agreements, OCR also is warning all covered entities to tighten their malware and ransomware safeguards.

OCR’s announcement of the Green Ridge resolution agreement, for instance, quotes OCR Director Melanie Fontes Rainer as stating, “Health care providers need to understand the seriousness of these attacks and must have practices in place to ensure patients’ protected health information is not subjected to cyber-attacks such as ransomware.”

To assist covered entities to meet this responsibility, OCR has developed Fact Sheet guidance that recommends covered entities to take at least the following steps to guard against breaches from ransomware and other malware attacks:

Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
two recent resolutions agreements and other guidance and enforcement actions make clear that all covered entities should ensure their ability to demonstrate their completion of these and other actions a risk analysis shows are needed to defend against a ransomware or other malware threats. This guidance also alerts covered entities to stay vigilant and update risk assessments and safeguards in response as to evolving threats.

Covered entities should not assume the relatively modest settlement amounts collected in the two new ransomware settlements compared to exponentially greater resolution settlements like the $4.75 million settlement payment New York based Montefiore Medical Center made last year reflect greater tolerance for ransomware related threats versus internal or external hacking. To the contrary, the Montefiore Medical Center resolution makes clear the randomware threat is one of a multitude of internal and external threats covered entities must defend their protected health information against to comply with HIPAA.

Moreover, covered entities and their leaders also should take steps to understand and fully address all other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by HIPAA. For example, health care providers, health plans and their fiduciaries, brokers, administrators and insurers also may bear responsibilities under the Employee Retirement Income Security Act fiduciary responsibility rules, the Fair and Accurate Credit Transactions Act, federal and state electronic crimes, privacy data security, artificial intelligence, workforce, tax, and other laws.

Publicly traded organizations and their leaders also may face responsibilities and liability under new Securities and Exchange Commission regulations, clawback rules and other laws arising from the occurrence or bungled response to a breach.

Likewise, got businesses sponsoring or administering employment-based health plans, Employee Benefit Security Administration considers managing cybersecurity risks a part of the fiduciary obligations of fiduciaries of employment-based health plans. Meanwhile, health care providers, insurance organizations and brokers, third party administrators, government contractors, attorneys and other advisors and others also may be subject to medical confidentiality and other data privacy and security obligations under federal and state electronic crimes, identity theft, ethics, professional licensure, contractual, common law privacy and other statutory and common laws. Since HIPAA and many of these other laws involve potential criminal as well as civil liability, organizations and leaders in covered entities generally should ensure their HIPAA and other cybersecurity compliance efforts are included in and administered according to their Federal Sentencing Guidelines Compliance program.

While it commonly is necessary or advisable to involve consulting or other technical support in the conduct of these activities, HIPAA entities should keep in mind the likelihood that their analysis and review is likely to uncover and prompt discussion of potentially legally or politically sensitive information. For this reason, HIPAA entities and their leaders generally will want to engage experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.

In planning for an implementing these procedures, Covered Entities also are reminded that the effectiveness of these efforts requires that the Covered Entities incorporate appropriate processes and policies for monitoring and investigating compliance with the policies and procedures implemented to comply with HIPAA. Conducting this monitoring and investigation by necessity is likely to involve surveillance, investigation and cooperation of employees, contractors, vendors and others for which Fair Credit Reporting Act background check notification and consent and other procedures are necessary or advisable.

Finally, HIPAA entities should keep in mind that HIPAA and other cybersecurity compliance and risk management is an ongoing process requiring constant awareness and diligence. Consequently, HIPAA entities should both monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.

For More Informational

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | business associate, data breach, data security, Doctor, Electronic Health Records, Electronic Medical Records, Employer, Federal Health Center, Federal Sentencing Guidelines, Fiduciary Responsibility, Genetic Information, GINA, Health Care, Health Care Finance, Health Care Provider, Health Insurance, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, long-term care, Medical Privacy, Medical Records, NIST, nursing home, occupational health, OCR, Pharmacy, Physician, primary care, Self-Insured Group health Plans, Telemedicine | Tagged: Breach Notification, Data Breach, Data Security, Federal Sentencing Guidelines, Health Care, Health Care Compliance, Health Care Provider, Health Plans, Health Policy, HHS, HIPAA, Hospital, Hospitals, Medical Privacy, OCR, pharmacy, PHI, Physician, Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

Hospital System Pays $4.75 Million HIPAA Breach Settlement

February 8, 2024

The $4.75 million settlement payment New York based Montefiore Medical Center is paying to settle charges by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Health Insurance Portability and Accountability Act (HIPAA) that multiple breaches of HIPAA’s Security Rule allowed a former employee to steal and sell more than 12,000 patients’ electronic personal health care information (EPHI) warns other health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) to ensure their HIPAA compliance efforts incorporate adequate safeguards to protect their organizations’ EPHI against insider theft or other misuse as well as against external actors.

HIPAA Requirement To Protect Protected Health Information

The HIPAA Privacy, Security, and Breach Notification Rules require health care providers, health plans and insurers and others take steps to protect the privacy and security of patients’ protected health information. The HIPAA Security Rule requires Covered Entities to protect electronic protected health information and other protected health information against use, access, disclosure or destruction by third parties except under the conditions allowed by HIPAA. These requirements include the requirements of the Security Rule to conduct and document comprehensive security assessments of risks to sensitive data systems, to implement and enforce detailed security safeguards to protect EPHI and the systems containing that data against these threats, to train and enforce compliance with these safeguards, and other requirements. Meanwhile, the HIPAA Breach Notification Rule requires Covered Entities to report most breaches of unsecured EPHI to individuals whose data is affected, OCR, and in the case of breaches of EPHI affecting more than 500 individuals, to the media.

Despite these Rules and the expanded audit and enforcement efforts by OCR, cybersecurity threats and breaches continue to present significant threats to the privacy and security of protected health information possessed by Covered Entities. OCR’s breach reports reflect that EPHI breaches affecting more than 500 individuals (large breaches) remain common. These breach reports reveal that more than 134 million individuals were affected by large breaches in 2023, compared to the not insignificant 55 million individuals affected in 2022. In response to this continuing threat, HHS released a Department-wide Cybersecurity strategy for the health care sector in December of 2023, and released voluntary performance goals to enhance cybersecurity across the health sector just last week. The enforcement action and settlement with Montefiore Medical Center is the latest of the growing list of investigations and resulting high dollar settlements obtained by OCR in its efforts to enhance the security of EPHI through enforcement of the Security Rule.

Montefiore Medical Center $4.75 Million Settlement

The $4.75 million monetary settlement agreement and corrective action plan resolves Montefiore Medical Center’s exposure to potentially much greater penalties that OCR could impose for multiple Security Rule violations OCR reports finding while investigating a Montefiore Medical Center data breach report of the theft and sale of personal health information by an employee.

Montefiore Medical Center learned of the data theft while investigating a report from the New York Police Department of evidence of theft of a specific patient’s medical information in 2015. The internal investigation revealed two years previously a Montefiore Medical Center employee stole the electronic records containing patient’s name, address, SSN, next of kin, and health insurance information, of 12,517 patients from its electronic medical record system and then sold patient information to an identity theft ring. OCR learned of the breach when Montefiore Medical Center filed the breach report about the theft with OCR to comply with the HIPAA Breach Notification Rule.

In accordance with its policy of investigating all breach reports involving the personal health information of more than 500 individuals (a large breach), OCR conducted an investigation of the breach reported in the Montefiore Medical Center breach notification report. According to OCR, that investigation revealed the breach and theft of the Montefiore patients’ EPHI was made possible by multiple potential violations of the HIPAA Security Rule, including failures by Montefiore Medical Center:

To analyze and identify potential risks and vulnerabilities to protected health information,
To monitor and safeguard its health information systems’ activity, and
To implement policies and procedures that record and examine activity in information systems containing or using protected health information.

OCR concluded without these safeguards in place, Montefiore Medical Center was unable to prevent the cyberattack or even detect the attack had happened until years later.

Under the terms of the settlement, Montefiore Medical Center will pay $4,750,000 to OCR and implement a corrective action plan that identifies certain steps toward protecting and securing the security of protected health information. These actions include:

Conducting an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information;
Developing a written risk management plan to address and mitigate security risks and vulnerabilities identified in the Risk Analysis;
Developing a plan to implement hardware, software, and/or other procedural mechanisms that record and examine activity in all information systems that contain or use electronic protected health information;
Reviewing and revising, if necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules;
Providing training to its workforce on HIPAA policies and procedures; and
Submit to monitoring of its compliance by OCR for two years.

Covered Entities Urged To Protect EPHI From Internal & External Security Threats

The Montefiore breach illustrates both how cyber criminals and thieves frequently target EPHI held by Covered Entities for criminal purposes and reminds Covered Entities that these breaches often are committed or facilitated by employees or other insiders of their own or a business associate’s organization. The $4,750,000 settlement paid by Montefiore Medical Center demonstrates the significant financial consequences that a Covered Entity is likely to incur if it experiences a breach as a result of its failure to adequately comply with HIPAA Security Rules from both external and internal threats.

To mitigate these risks, Covered Entities must be prepared to demonstrate their efforts to implement safeguards to mitigate or prevent cyber threats in accordance with the HIPAA Security Rule. In conducting these activities, Covered Entities should heed the clear warning from the Montefiore Medical Center breach and settlement that the Security Rule requires the protection of EPHI from a broad range of ever-evolving internal and external threats. While theft by a malicious insider definitely is one of these risks, cyberthreat and breach experiences within the health care and other industries as well as OCR’s enforcement, investigation and other guidance demonstrate that Covered Entities must be vigilant to monitor and manage a multitude of ever-changing risks. Covered Entities and their leaders must be prepared to demonstrate the adequacy of their ongoing efforts to identify and manage these risks in compliance with the Security Rule.

As part of these efforts, OCR recommends that Covered Entities HIPAA Security and other cybersecurity defenses include, but not be limited to:

Reviewing all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident reporting obligations.
Integrating risk analysis and risk management into business processes; and ensuring that they are conducted regularly, especially when new technologies and business operations are planned. Ensuring audit controls are in place to record and examine information system activity.
Implementing regular review of information system activity.
Utilizing multi-factor authentication to ensure only authorized users are accessing protected health information.
Encrypting protected health information to guard against unauthorized access.
Incorporating lessons learned from previous incidents into the overall security management process.
Providing training specific to organization and job responsibilities and on regular basis; and reinforcing workforce members’ critical role in protecting privacy and security.

Additionally, HIPAA entities and their leaders also should take steps to understand and fully address all other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by HIPAA. For example, health care providers, health plans and their fiduciaries, brokers, administrators and insurers also may bear responsibilities under the Employee Retirement Income Security Act fiduciary responsibility rules, the Fair and Accurate Credit Transactions Act, federal and state electronic crimes and privacy laws. Publicly traded organizations and their leaders may face responsibilities and liability under new Securities and Exchange Commission regulations. The Employee Benefit Security Administration considers managing cybersecurity risks a part of the fiduciary obligations of fiduciaries of employment-based health plans. Meanwhile, health care providers, insurance organizations and brokers, third party administrators, government contractors, attorneys and other advisors and others also may be subject to medical confidentiality and other data privacy and security obligations under federal and state electronic crimes, identity theft, ethics, professional licensure, contractual, common law privacy and other statutory and common laws.

For More Information

About the Author

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Academic medicine, Health Care, HIPAA, HIPAA Cyber Crime | Tagged: Cybecrime, cybersecurity, Data Breach, Employee, Hacking, Health insurer, Health Plan, healthcare, HIPAA, Hospital, Identity Theft, Insider, medical, OCR, Personal Health Care Information, Physician, Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

eBay Paying $59 Million to Settle Controlled Substances Act Allegations About Website Pill Press Sales

January 31, 2024

The U.S. Department of Justice announced today that e-commerce company eBay Inc. will pay $59 million and enhance its compliance program to settle charges it violated the Controlled Substances Act (CSA) in connection with the use of its platform to sell thousands of pill presses and encapsulating machines. The fourth largest CSA settlement in history, it reaffirms the continuing Justice Department war on fentanyl and other illegal opiate distribution.

Criminals can use pill presses and encapsulating machines to manufacture illegal drugs. When used with a mold, stamp, or die mimicking commonly prescribed controlled substances, pill presses are capable of producing counterfeit pills that appear indistinguishable from legitimate pharmaceutical drugs, including pills that are sometimes laced with fentanyl. The Justice Department says counterfeit pills laced with fentanyl are a significant contributor to the deadly overdose epidemic.

The CSA regulates certain pharmaceutical manufacturing equipment, including pill presses and encapsulating machines, by requiring identity verification of purchasers, record-keeping, and reporting to the Drug Enforcement Administration (DEA). These requirements seek to prevent individuals from obtaining these machines to use for illegal purposes and to allow the government to trace the machines to the end user. Associate Attorney General Vanita Gupta, Chair of the Justice Department’s Opioid Epidemic Civil Litigation Task Force says the Justice Department is committed to using all available enforcement measures to ensure that companies involved in selling the equipment that makes it possible to create these dangerous pills comply with the Controlled Substances Act.”

The Justice Department has successfully prosecuted many of eBay’s pill press buyers for trafficking illegal counterfeit pills. The Justice Department alleges eBay violations of the CSA requirements for thousands of pill presses and encapsulating machines sold through its website, including high-capacity pill presses capable of producing thousands of pills per hour. The Justice Department investigation further found that hundreds of eBay’s pill press buyers also purchased counterfeit molds, stamps, or dies, allowing them to produce pills that mimicked the products of legitimate pharmaceutical companies,

Justice Department officials say eBay made it easy for individuals across the country to use its website to obtain the type of dangerous machines that are often used to make counterfeit pills.and that some of these machines were even sold to individuals who were later convicted of drug related crimes.

U.S. Attorney Henry C. Leventis for the Middle District of Tennessee says today’s settlement holds eBay accountable for its compliance lapses and serves as a reminder to other e-commerce companies that the Justice Department will enforce these requirements, and will help keep these items out of the hands of criminals moving forward.

In addition to the large monetary settlement, eBay also has agreed to maintain and enhance its compliance program with respect to its prohibited and restricted items policy as it pertains to sales of pill presses, counterfeit molds, stamps, and dies, and encapsulating machines.

Coupled with other high profile prosecutions and settlements of nationwide pharmacies, physicians and others, the eBay settlement alerts all parties connected with the manufacture, prescription, distribution and sale of opiates and other controlled substances to use care to ensure the defensibility of their actions.

For More Information

About the Author

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Health Care | Tagged: Compliance, controlled substance, Corporate Compliance, DEA, DOJ, drugs, eBay, FDA, fentanyl, Health Care, Health Care Compliance, Health Care Provider, Health Plans, Hospitals, Justice Department, Opiates, pain management, pharmacist, pharmacy, Physician, Physicians, Prescription Drugs, public health | Permalink
Posted by Cynthia Marcotte Stamer

Fee Set for Providers & Plans Using No Surprises Act Independent Dispute Resolution To Resolve Post 2/20/24 Disputes

December 19, 2023

$115 is the fee that with health care providers, facilities, and providers of air ambulance services (“providers”) and health plans participating in the Independent Dispute Resolution (“IDR”) process required by the No Surprises Act (the “NSA”) to resolve disputes over the amount the health plan will pay the provider for out-of-network health care or items for because the health plan and provider cannot reach agreement about the appropriate amount outside the IDR process will be required to pay disputes initiated on or after February 21, 2023 under a new final rule scheduled for publication by the of Health and Human Services (“HHS”), Labor (“DOL”) and Treasury (“Treasury”) (collectively the “Departments”) on December 21, 2023.

The Departments establishment of the IDR fee for post-February 20, 2025 disputes and their previous December 15, 2023 announcement of the full reopening of the IDR portal for all dispute categories are part of the Departments’ ongoing response to the August 3, 2023 Federal District court ruling in Texas Medical Association, et al. v. U.S. Department of Health & Human Services, et al., No. 6:23-cv-00059-JDK (TMA IV), which vacated portions of the previous guidance that the Departments previously adopted to establish the IDR process and the administrative fee amount for the Federal IDR process for disputes initiated during the calendar year beginning January 1, 2023.

Post February 22, 2024 IDR Fees

On December 18, 2023, the Departments released an advance copy of the final rule (the “Rule”) setting the fees the NSA requires both the health plan or issuer and a health care provider, facility, or air ambulance services provider (the “parties”) when the parties must use the NSA Federal Independent Dispute Resolution (IDR) process to set the amount a health plan must pay the provider for out-of-network medical care or items because the plan and provider cannot agree on an appropriate payment amount for disputes initiated on or after the date the Rule is published in the Federal Register. Since the Rule is scheduled for publication in the Federal Register on December 21, 2023, the new fee will apply to disputes initiated after February 20, 2023.

In response to the TMA IV ruling, the Rule amends existing regulations to provide that the Departments going forward will determine the administrative fee charged by the Departments to participate in the Federal IDR process, and the ranges for certified IDR entity fees for single and batched determinations, through annual notice and comment rulemaking, rather than in guidance published annually. The preamble to the final rule also sets forth the methodology used to calculate the administrative fee and the considerations used to develop the certified IDR entity fee ranges.

Following this new process, the Rule also finalizes an administrative fee amount of $115 per party and finalizes a certified IDR entity fee range of $200-$840 for single determinations and $268-$1,173 for batched determinations for disputes initiated on or after February 21, 2023.

Interested parties can review the Rule here and the Departments Fact Sheet on the Rule here.

IDR Portal Reopened December 15, 2023

The Rule establishing the IDR fee for disputes initiated after February 20, 2024 follows the Departments’ December 15, 2023 announcement of their reopening of the IDR portal for processing all health benefit disputes covered by the NSA between providers and payers.

As part of its provisions to protect patients from “surprise bills” or out-of-network services covered by the NSA, the NSA establishes rules and procedures for providers and payers to determine the appropriate out-of-network payment rate for out-of-network services received by patients enrolled in covered payer programs. Where payers and providers cannot agree about the appropriate payment rate using other NSA procedures, the IDR portal is the online system established under the NSA for disputing payers and health care providers arrange for a certified IDR entity to resolve disagreements about the appropriate out-of-network payment rate for items and services subject to the surprise billing protections in the NSA through a process in which the certified IDR entity reviews offers made by each disputing party along with supporting information about the dispute. Once established under the NSA, payers are required to pay providers the appropriate payment rate for the covered out-of-network services provided to the member patient and the provider is prohibited from balance billing charges in excess of the appropriate payment rate for those services. The Departments previously suspended the operation of the IDR portal earlier this year after a federal court ruled that rules adopted by the Departments implementing the NSA violated the NSA.

In connection with the reopening of the IDR Portal, the Departments also announced the following extensions of the applicable IDR deadlines for the initiation of new batched disputes and new single disputes involving air ambulance services, resubmission of disputes determined by certified IDR entities to be improperly batched, and selection or reselection of a certified IDR entity.

Parties for whom the IDR initiation deadline under applicable regulations fell on any date between August 3, 2023 and December 15, 2023 will have until the 20th business day after the Federal IDR portal reopens, which is January 16, 2024, to initiate a new batched dispute or a new single dispute involving air ambulance services. Parties for whom the IDR initiation deadline falls between December 16, 2023 and January 15, 2024 will also have until January 16, 2024 to initiate a batched or air ambulance dispute. Parties whose initiation deadline falls on January 16, 2024 or after will have the usual 4 business days after the end of the Open Negotiation Period, or if the dispute is subject to the 90-calendar-day suspension period following a payment determination, the usual 30 business day period, to initiate a batched or air ambulance dispute in the Federal IDR portal.
For batched disputes and single disputes involving air ambulance services initiated under extensions of deadlines after the Federal IDR portal reopens, the deadline for the parties to jointly select a certified IDR entity will be 10 business days after initiation.
For disputing parties that were engaged in certified IDR entity selection for batched disputes when the Federal IDR portal temporarily closed, the deadline for parties to jointly select a certified IDR entity will be 10 business days after the Federal IDR portal reopens, which is December 29, 2023.
An initiating party that has received a notification from a certified IDR entity that a dispute initiated before August 3, 2023 was improperly batched will have one opportunity to resubmit the improperly batched items and services for reconsideration within 10 business days of being notified by the certified IDR entity, provided that the initiating party’s 4-business-day period to resubmit the batched dispute expired between August 3 and August 9, 2023.
The deadline to submit fees and offers will remain 10 business days after certified IDR entity selection.
Disputing parties with batched disputes that were impacted by the temporary suspension of use of the notice of offer form will be granted an additional 10 business days to submit offers, as communicated to impacted disputing parties by email from the Federal IDR Inbox.

The deadline extensions announced December 15, 2023 supplement extensions the Departments previously announced in November, 2023. On November 22, 2023, the Departments used their statutory authority (Internal Revenue Code Section 9816(c)(9), ERISA Section 716(c)(9), and PHS Act Section 2799A-1(c)(9)) to grant extensions in the following circumstances:

Disputing parties may request additional time, beyond the current business day deadline, to respond to the certified IDR entity’s requests for additional information. The Departments instructed certified IDR entities to grant such requests through January 16, 2024.
Certified IDR entities may provide parties, upon request, an additional 10 business days after the original offer deadline to submit an offer. Certified IDR entities may provide parties this additional time, as needed, through January 16, 2024.

On November 29, 2023, the Departments also announced another extension of the timeline for disputing parties to select a certified IDR entity. Under this extension, disputing parties will have 10 business days to select a certified IDR entity for all disputes through January 16, 2024. This extension will be provided automatically and does not require a request by disputing parties.

The Departments already announced the November 22, 2023 and November 29, 2023 extensions until January 16, 2023 for new single and bundled disputes and these extensions will persist for all disputes until January 16, 2023.

In connection with their full reopening of the IDR portal, the Departments renewed prior reminders to parties accessing or using the IDR portal to clear their computer’s cache or open the Federal IDR initiation web forms in a private or incognito window to see all the new features at least once a week to ensure access to the most up-to-date version of the initiation form as the Departments continue to implement Federal IDR web forms to accommodate guidance-related and system enhancements. Users failing to follow this recommendation risk additional follow-up with certified IDR entities or system errors. 

Users also are encouraged to review other previously published guidance, including No Surprises Act (NSA) Independent Dispute Resolution (IDR) Batching and Air Ambulance Policy Frequently Asked Questions (FAQs), FAQs about Affordable Care Act and Consolidated Appropriations Act, 2023 Implementation Part 63 (FAQs Part 63), FAQs about Consolidated Appropriations Act, 2021 Implementation Part 62 (FAQs Part 62), and the August 2023 IDR Administrative Fees FAQs for further information.

Parties can also reference updated IDR system job aids and updated guidance documents for further information

For More Information

About the Author

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | balance billing, Health Care, Health Care Finance, health care reimbursement, Health Plans, Reimbursement, Self-Insured Group health Plans | Tagged: air ambulance, Health Care Finance, Health Care Provider, health coverage, Health Plans, health-benefits, no surprises act, out-of-network, Physician | Permalink
Posted by Cynthia Marcotte Stamer

No Surprises Act IDR Portal Now Open For All Covered Health Claims; Added Deadline Extensions Announced

December 15, 2023

The No Surprises Act (“NSA”) Federal Independent Dispute Resolution (“IDR”) portal now is reopened for processing all health benefit disputes covered by the NSA between health care providers, facilities, and providers of air ambulance services (“providers”), and group health plans, health insurance issuers, and Federal Employee Health Benefits Program carriers (“payers”) (collectively, “disputing parties”). The Departments of Health & Human Resources, Labor and Treasury (“Departments”) reopened the IDR Portal on December 15, 2023 for all types of NSA-covered claims including previously initiated batched disputes, new batched disputes, and new single disputes involving air ambulance services.

As part of its provisions to protect patients from “surprise bills” or out-of-network services covered bu the NSA, the NSA establishes rules and procedures for providers and payers to determine the appropriate out-of-network payment rate for out-of-network services received by patients enrolled in covered payer programs. Where payers and providers cannot agree about the appropriate payment rate using other NSA procedures, the IDR portal is the online system established under the NSA for disputing payers and health care providers arrange for a certified IDR entity to resolve disagreements about the appropriate out-of-network payment rate for items and services subject to the surprise billing protections in the NSA through a process in which the certified IDR entity reviews offers made by each disputing party along with supporting information about the dispute. Once established under the NSA, payers are required to pay providers the appropriate payment rate for the covered out-of-network services provided to the member patient and the provider is prohibited from balance billing charges in excess of the appropriate payment rate for those services. The Departments previously suspended the operation of the IDR portal earlier this year after a federal court ruled that rules adopted by the Departments implementing the NSA violated the NSA.

Parties for whom the IDR initiation deadline under applicable regulations fell on any date between August 3, 2023 and December 15, 2023 will have until the 20th business day after the Federal IDR portal reopens, which is January 16, 2024, to initiate a new batched dispute or a new single dispute involving air ambulance services. Parties for whom the IDR initiation deadline falls between December 16, 2023 and January 15, 2024 will also have until January 16, 2024 to initiate a batched or air ambulance dispute. Parties whose initiation deadline falls on January 16, 2024 or after will have the usual 4 business days after the end of the Open Negotiation Period, or if the dispute is subject to the 90-calendar-day suspension period following a payment determination, the usual 30 business day period, to initiate a batched or air ambulance dispute in the Federal IDR portal.
For batched disputes and single disputes involving air ambulance services initiated under extensions of deadlines after the Federal IDR portal reopens, the deadline for the parties to jointly select a certified IDR entity will be 10 business days after initiation.
For disputing parties that were engaged in certified IDR entity selection for batched disputes when the Federal IDR portal temporarily closed, the deadline for parties to jointly select a certified IDR entity will be 10 business days after the Federal IDR portal reopens, which is December 29, 2023.
An initiating party that has received a notification from a certified IDR entity that a dispute initiated before August 3, 2023 was improperly batched will have one opportunity to resubmit the improperly batched items and services for reconsideration within 10 business days of being notified by the certified IDR entity, provided that the initiating party’s 4-business-day period to resubmit the batched dispute expired between August 3 and August 9, 2023.
The deadline to submit fees and offers will remain 10 business days after certified IDR entity selection.
Disputing parties with batched disputes that were impacted by the temporary suspension of use of the notice of offer form will be granted an additional 10 business days to submit offers, as communicated to impacted disputing parties by email from the Federal IDR Inbox.

Disputing parties may request additional time, beyond the current business day deadline, to respond to the certified IDR entity’s requests for additional information. The Departments instructed certified IDR entities to grant such requests through January 16, 2024.
Certified IDR entities may provide parties, upon request, an additional 10 business days after the original offer deadline to submit an offer. Certified IDR entities may provide parties this additional time, as needed, through January 16, 2024.

Parties should reference the No Surprises Act (NSA) Independent Dispute Resolution (IDR) Batching and Air Ambulance Policy Frequently Asked Questions (FAQs), FAQs about Affordable Care Act and Consolidated Appropriations Act, 2023 Implementation Part 63 (FAQs Part 63), FAQs about Consolidated Appropriations Act, 2021 Implementation Part 62 (FAQs Part 62), and the August 2023 IDR Administrative Fees FAQs for further information. Parties can also reference updated IDR system job aids and updated guidance documents for further information.

Questions can be directed to the Federal IDR mailbox at FederalIDRQuestion@cms.hhs.gov. Any additional updates will be provided at www.cms.gov/nosurprises as they become available.

For More Information

About the Author

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Health Care | Tagged: air ambulance, arbitration, balance billing, CIICO, CMS, debt, Health, Health Care Reimbursement, Health Insurance, Health Plan, Hospital, law, no surprises act, Patients, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Tri-Agencies Announce New Surprise Billing IDR Fees Amid Continued Court-Required IDR Suspension

August 11, 2023

Health care providers, health plans and health plan sponsors, and their administrative services providers should evaluate and update their billing and claims practices in response to the No Surprises Act (NSA) Independent Dispute Resolution (IDR) Administrative Fee Frequently Asked Questions (FAQs) jointly released by the Department of Health and Human Services (HHS), the Department of Labor (DOL), and the Department of the Treasury (collectively, the “Departments”) on August 11, 2023).

The No Surprises Act (NSA) established a Federal Independent Dispute Resolution (“IDR”) medical claims review process that allows out-of-network providers, facilities, and providers of air ambulance services, and group health plans, health insurance issuers in the individual and group markets, and Federal Employee Health Benefits (“FEHB”) carriers (disputing parties) to determine the out-of-network rate for out-of-network emergency services and certain items and services provided by out-of-network providers at in-network facilities and out-of-network air ambulance services.

The IDR process currently is suspended following the August 3 , 2023 ruling by the United States District Court for the Eastern District of Texas in Texas Medical Association v. United States Department of Health and Human Services, Case No. 6:23-cv-59-JDK, vacating certain portions of 45 C.F.R. § 149.510, 26 C.F.R. § 54.9816-8T, and 29 C.F.R. § 2590-716-8, which are parallel provisions governing the Federal IDR.

The Court granted summary judgement to the Texas Medical Association and other provider plaintiffs challenging these federal IDR rules for arbitration of health coverage disputes between payers and providers under the No Surprises Act. The Court agreed with the health care providers that the rules violated federal law by failing to take into account the full range of factors Congress directed be considered when enacting the IRO rules as part of the No Surprises Act.

Immediately following the Court’s entry of the order, the Departments temporarily suspended the federal IDR medical claims review process including the ability to initiate new disputes and directed certified IDR entities to pause all IDR-related activities in response an the ruling. As a result of the suspension, the Patient-Provider Dispute Resolution Portal also temporarily ceased accepting new initiated disputes.

When announcing the suspension, the they would review the court’s decision to evaluate changes to current IDR processes, templates, and system updates necessary to comply with the court’s order. The Departments said they will issue updates to these processes in the near future and will provide specific directions to certified IDR entities for resuming all IDR-related activities in a manner consistent with the court’s judgment and order “soon.” Until then, arbitration of disputes between payers and providers under covered employment based group health plans and individual and group health insurance subject to the law will be delayed.

The FAQs are not announcing the reopening of the Federal IDR portal to initiate new disputes. Accordingly, the IDR process remains in suspension pending further action by the Departments. In the meantime, however, the FAQs clarify the administrative fee amount that each disputing party will be required to pay to engage in the Federal IDR process when the IDR process suspension resumes as a result of the Texas Medical Association opinion and order.

Delay in final processing and adjudication of surprise bills resulting from the suspension of the IDR processes creates headaches and ambiguity for both providers and payers. Pending resumption of the IDR process, many payers and providers are likely to reconsider negotiated resolution of pending disputes to mitigate these effects. Whether pursuing this option during the suspension, payers and providers impacted by the USR rules will want to follow developments closely to be prepared to move forward quickly when the suspension ends. Stay tuned here for more developments.

For More Information

About the Author

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and VIce-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Health Care | Tagged: Health Care, Health Care Compliance, Health Care Provider, Health Plans, Hospital, IDR, no surprises act, pain management, pharmacy, Physician, Physicians, surprise billing | Permalink
Posted by Cynthia Marcotte Stamer

Banner Health Pays $1.25 Million To Settle Cybersecurity Breach Impacting Nearly 3 Million Individuals

February 3, 2023

Phoenix-based nonprofit health system Banner Health and its affiliates (“Banner Health”) paid $1.25 million and agreed to take corrective actions to resolve its exposure to potentially much greater Health Insurance Portability and Accountability Act (HIPAA) Security Rule civil monetary penalty exposure for a 2016 cyber hacking breach that compromised the personal health information of 2.81 million consumers. OCR used its February 2 announcement of the Banner Health settlement to warn health care providers, health plans, health care clearinghouses (“covered entities”) and business associates covered by HIPAA to guard their own systems containing protected health information against breach by cyber hacking.

Banner Health Settlement

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona and one of the largest in northern Colorado.

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions. The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

The potential violations OCR identified specifically included:

A lack of an analysis to determine risks and vulnerabilities of electronic protected health information across the organization;
Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack;
Failure to implement an authentication process to safeguard its electronic protected health information; and
Failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.

Under the Resolution Agreement and Corrective Action Plan negotiated to resolve these potential violations, Banner Health paid $1,250,000 to OCR. Banner Health also agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Under the corrective action plan, Banner has agreed to take the following steps:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

OCR Warns Other HIPAA-Covered Entities

In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. OCR’s announcement of the settlement reports 74 percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents.

The announcement also notes OCR offers an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules,

The settlement and OCR’s announcement warn other covered entities and business associates to use these and other necessary resources to protect their systems with protected health information from cyber hacking and other breaches.

In conjunction with reminding other covered entities of these resources, the settlement announcement quotes OCR Director Melanie Fontes Rainer as a warning, “Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals, … It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. … Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

OCR’s enforcement record confirms these are not idyl threats. Breaches of the Security or Breach Notification Rules often result in significant civil monetary penalty assessments or negotiated settlements to mitigate civil liability exposures arising out of such breaches. See e.g., Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches(October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020).

Alerts issued by OCR regarding heightened security risks in recent months and a growing tide of highly publicized breaches send a strong warning to other covered entities and their business associates to reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections by among other things:

Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near-miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board-level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because of susceptibilities in systems, software and other vendors of business associates, suppliers and other third parties, covered entities and their business associates should use care to assess and manage business associate and other vendor-associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Beyond these HIPAA exposures, breaches and other HIPAA noncompliance carries other liability risks. Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders. For instance, the Department of Health & Human Services has warned health care providers participating in Medicare or other federal programs and Medicare Advantage health plans that HIPAA compliance is a program term of participation.

Health care providers and health insurers can face liability under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.

Health plans also face a myriad of other exposures from failing to use appropriate cyber safeguards. Plan fiduciaries of employment-based health plans covered by the Employee Retirement Income Security Act (“ERISA”) risk liability under ERISA’s fiduciary responsibility rules. The Department of Labor Employee Benefit Security Administration (“EBSA”) now audits the adequacy of the cybersecurity and other HIPAA compliance of health plans and their third-party administrators and other business associates as part of EBSA’s oversight and enforcement of ERISA. Department of Labor Assistant Secretary for EBSA Lisa Gomez confirmed audit and enforcement of cybersecurity obligations is a key priority in EBSA’s current work plan in her February 4, 2023 comments to the American Bar Association.

Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other public companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations.

Furthermore, appropriate cyber security practices also may be advisable elements for organizations to include in their Federal Sentencing Guideline Compliance Programs to mitigate potential organization liability risks under federal electronic crime and related laws.

In the face of these risks and warnings, all covered entities and their business associates should reassess and confirm the adequacy of their and their business associates’ cyber security defenses and breach response preparations.

More Information

About the Author

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns in the healthcare, employer benefits, and insurance and financial services industries. She speaks and publishes extensively on HIPAA and other related compliance issues.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Cyber crime, data breach, data security, DME, Doctor, Employer, ERISA, Federal Sentencing Guidelines, Health Care Finance, Health Care Provider, Health Insurance, Health IT, Health Plan, Health Plans, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, home health, Hospice, Hospital, hospitals, Licensing, Meaningful Use, Medicaid, Medicaid Advantage, Medical Licensure, Medical Malpractice, Medical Privacy, Medical Records, Medicare, Medicare Advantage, OCR, Peer Review, Physician Licensing, retaliation, Technology, Telemedicine, Whistleblower | Tagged: ARRA, Breach Notification, CMS, Compliance, Corporate Compliance, Data Breach, Data Security, Doctor, DOJ, EHR, Electronic Health Records, Employer, false claims act, Federal Sentencing Guidelines, Health Care, Health Care Compliance, Health Care Fraud, Health Care Provider, Health Care Reimbursement, Health Insurance, Health IT, Health Plan, Health Plans, HHS, HIPAA, HIPAA Privacy, HITECH Act, Hospital, Hospitals, licensure, Medicaid, Medical Privacy, Medicare, OCR, Office of Civil Rights, OIG, PHI, Physician, Physicians, Privacy, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

4 Pharmacies Pay $6.8+ Million To Settle Copayment Waiver Civil False Claims Act Claims

October 14, 2022

The $6.8 million settlement paid by four pharmacies to settle False Claims Act civil claims warns other pharmacies and other health care providers against improper copayment or other cost sharing waiver, billing and referral practices.

The Department of Justice announced October 12, 2022 that DermaTran Health Solutions, LLC (“DermaTran”); Pharmacy Insurance Administrators, LLC; Legends Pharmacy; TriadRx; and the former owners of Lake Side Pharmacy and related entities, agreed to pay $6,876,564 to resolve allegations that they violated the False Claims Act by waiving copays, charging the government higher prices than permitted, and trading federal healthcare business with other pharmacies.

The government alleged that in 2012, pharmacy DermaTran opened in Rome, Georgia, for the purpose of making and selling custom “compound” pain creams. DermaTran’s owners during the relevant time include DIII Consulting, LLC; SRM Holdings, LLC; Gussenhoven Holdings, LLC; Sam Moss; and Robert Gussenhoven. At the same time, another company named Pharmacy Insurance Administrators, LLC (“PIA”), was created to handle the billing for DermaTran. During the relevant time, PIA was a subsidiary of Insurance Administrative Solutions, LLC; which was a subsidiary of Gulfcoast Administrators, LLC; which was majority-owned by Life & Health Holdings, Inc.; which was a subsidiary of State Mutual Insurance Company.

Compound pain creams were very lucrative. Government-backed health insurance programs such as TRICARE (for the military) and the Federal Employees Health Benefits Program (for federal workers) would reimburse hundreds of dollars for these prescriptions. But the government programs imposed certain restrictions to limit spending. For example, patients were required to contribute to the cost of the prescription in the form of copays. The government programs also limited payments to the “usual and customary price”—the price charged to a cash-paying, uninsured patient.

The Government alleged that DermaTran and PIA found ways to avoid these restrictions. DermaTran and PIA created a copay-waiver program where patients would have their copays waived based on a brief, unverified statement of economic need. DermaTran and PIA also misled the government programs about the price being charged to uninsured, cash-paying patients by falsely stating that that price was high when, in fact, it was only $30. As a result, there were days that veterans were charged $600+ for pain creams, while uninsured patients were charged only $30.

Eventually, various auditors uncovered these problems and began to terminate DermaTran from their networks. The Government alleged that DermaTran, looking for a way to continue to earn money, began selling its out-of-network prescriptions to other pharmacies. The other pharmacies could fill the prescriptions because they were still in network. After filling the lucrative prescriptions, the other pharmacies remitted a portion of the proceeds to DermaTran and PIA. The government alleged that this arrangement constituted an illegal kickback. The other pharmacies that participated in this prescriptions-for-money scheme included Legends Pharmacy (in Texas), Lake Side Pharmacy (in Alabama), and TriadRx (in Alabama).

This settlement resulted from a joint investigation by the U.S. Attorney’s Office for the Northern District of Georgia, the FBI, the Defense Criminal Investigative Service, the US Office of Personnel Management – Office of the Inspector General, the U.S. Postal Service – Office of Inspector General, and the Health and Human Services – Office of Inspector General.

This civil settlement resolves a lawsuit filed in the U.S. District Court for the Northern District of Georgia by a former accountant for DermaTran, under the qui tam, or whistleblower provisions, of the False Claims Act. United States ex rel. Doe v. DermaTran Health Solutions, LLC, et al., Civil Action No. 1:17-CV-1765. Under the False Claims Act, private citizens may bring suit for false claims on behalf of the United States and share in any recovery obtained by the government.

Under the settlement, PIA will contribute $6.5 million to the settlement. DermaTran is no longer operating and was sold in an arm’s-length transaction to a third-party buyer last year for the price of $40,000. That amount will be turned over to the government as part of the settlement. MLDP of Texas, LP (a/k/a “Legends Pharmacy”) will pay $59,293. TRIAD Rx, Inc. will pay $166,547. Lake Side Pharmacy is no longer in business, but former owners of Lake Side Pharmacy will pay $110,724. The former owners include Titan Medical Marketing, LLC; Donald Wayne Bogue; George Takashi Elkins; James Bernard Bogue, Jr.; Robert Joseph Puckett, Jr.; Robert Joseph Puckett, Sr.; Stephen Weston Wilson; and Charles Franklin Taylor, Jr. The whistleblower will receive $1,434,775 from the settlements. PIA will also pay her attorney’s fees.

The settlement documents the commitment of the Justice Department, the Department of Health & Human Services (“HHS”) Office of Inspector General (“OIG”) and other federal agencies to enforce the False Claims Act to recover government payments that result from improper waiver of copays, charging the government higher prices and other improper practices in violation of the False Claims Act. The agencies made a point of including their respective warnings in their announcement of the settlement.

“Health care fraud abuse like this case erodes the trust patients have in the health care system,” said Keri Farley, Special Agent in Charge of FBI Atlanta. “The FBI will not stand by when there are allegations of companies operating corporate wide schemes to illegally line their pockets.”

“Fraud through compounding pharmacies bilked billions out of TRICARE and undermined the integrity of our healthcare system designed to care for our service members and their families,” stated Cynthia Bruce, Special Agent in Charge of the Department of Defense, Office of Inspector General, Defense Criminal Investigative Service (DCIS). “I appreciate the partnership among involved law enforcement agencies and the U.S. Attorney’s Office to bring this matter to justice.”

“The OPM OIG has no tolerance for businesses that knowingly take advantage of FEHBP, violating the rules to make a profit,” said Amy K. Parker, Special Agent in Charge, OPM OIG. “I am extremely proud of the hard work of our investigators, analysts, and other law enforcement partners because overcharging the government is not a victimless crime – it contributes to higher premium prices and harms the financial integrity of the FEHBP.”

“The U.S. Postal Service, Office of Inspector General, will continue to tirelessly investigate those who commit frauds against federal benefit programs and the U.S. Postal Service. This settlement is a clear message that the USPS OIG is dedicated to rooting out corruption and bringing to justice those responsible for these crimes, said Special Agent in Charge Matthew Modafferi of the U.S. Postal Service, Office of Inspector General Northeast Area Field Office. The USPS OIG would like to thank our law enforcement partners and the Department of Justice for their efforts in this investigation”.

“Health care providers that try to boost their profits by submitting fraudulent claims to Federal health care programs threaten the integrity of those programs and drive up prices for everyone,” said Tamala E. Miles, Special Agent in Charge with the U.S. Department of Health and Human Services Office of Inspector General. “We work tirelessly alongside our law enforcement partners to protect the integrity of Federal health care programs and to ensure the appropriate use of taxpayer dollars.”

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Leave a Comment » | Health Care | Tagged: CMS, controlled substance, DEA, drugs, false claims act, Federal Sentencing Guidelines, Health Care, Health Care Compliance, Health Care Fraud, Health Care Provider, Health Plans, Hospital, Medicaid, Medicare, Medicare Part B, OIG, pain management, Physician, Physicians, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

Doctor, Three Pharmacists Among 8 Charged With Illegally Distributing More Than 1.2 Million Oxycodone Pills

October 13, 2022

Criminal inditements unsealed October 12, 2022 against a Brooklyn area doctor, three pharmacies and four employees illustrate federal authorities’ continuing war against providers for wrongfully distributing oxycodone or other controlled substances.

The 10-count indictment unsealed charges Dr. Somsri Ratanaprasatporn, her office manager Leticia Smith, pharmacists Bassam Amin, Omar Elsayed, and Yousef Ennab, Michael Kent, Anthony Mathis, and Raymond Walker with conspiracy to distribute and possess with intent to distribute oxycodone and related crimes. Smith and Kent are also charged with money laundering in connection with their alleged efforts to hide the proceeds of their illegal oxycodone distribution operation. All eight defendants were arrested this morning and are scheduled to be arraigned this afternoon before United States Magistrate Judge Robert M. Levy.

As set forth in the indictment and publicly filed documents, between December 2018 and October 2022, the defendants operated a drug distribution ring out of a medical practice on Linden Boulevard in East New York, Brooklyn. Together, they unlawfully distributed more than 11,000 prescriptions for oxycodone.

According to the unsealed inditements, the structured drug trafficking ring’s operations started in a doctor’s office and ended with more than 1.2 million dangerously addictive opioids worth $24 million supplied to the streets of New York City,. Ratanaprasatporn, a pediatrician and general practitioner, and Smith, issued the prescriptions; Amin, Ennab and Elsayed filled the prescriptions at pharmacies in Brooklyn and Staten Island, and Kent, Mathis, and Walker oversaw “crews” of sham patients who received medically unnecessary prescriptions. Together, the defendants made millions of dollars from the scheme. During the execution of a search warrant this morning, members of law enforcement recovered several hundred thousand dollars in U.S. currency from Smith’s residence. Law enforcement also recovered two handguns that Kent was observed tossing from a rear door of his residence.

The charges in the indictment are allegations, and the defendants are presumed innocent unless and until proven guilty. If convicted of the drug charges, the defendants face up to 20 years’ imprisonment. If convicted of the money laundering charges, Smith and Kent face up to 20 years’ imprisonment for each count.

Oxycodone is a highly addictive opioid used to treat severe and chronic pain conditions. Addition and other abuse often starts from medications prescribed by or otherwise made available by health care providers.

Every year, millions of Americans abuse oxycodone. Misuse of painkillers like oxycodone leads to hundreds of thousands of annual emergency room visits. More than 16,000 Americans died from prescription opioid overdoses in 2020. Oxycodone prescriptions have enormous cash value to drug dealers. For example, one oxycodone 30 mg tablet, which was the dosage prescribed in this case, can be sold by dealers on the street for between $20 and $30 in New York City.

The growing epidemic of abuse of oxycodone and other prescription pain medications have prompted federal and state authorities to partner in their fight against pain medication abuse.

The charges are the result of an ongoing Organized Crime Drug Enforcement Task Forces (OCDETF) investigation led by the United States Attorney’s Office for the Eastern District of New York and the DEA. The principal mission of the OCDETF program is to identify, disrupt, and dismantle the most serious drug trafficking, weapons trafficking, and money laundering organizations, and those primarily responsible for the nation’s illegal drug supply. OCDETF uses a prosecutor-led, intelligence-driven, multi-agency approach that leverages the strengths of federal, state, and local law enforcement agencies against criminal networks.

Like many other recent prosecutions, these inditements target health care providers profiting off of the illegal prescription or other distribution of oxycodine or other controlled substances.

In announcing the inditements, representatives of each participating agency reintegrated their agencies commitment to continue investigation and prosecuting health care providers improperly distributing controlled substances.

“Doctors and medical professionals have a professional obligation to do no harm, but, as alleged, the defendants callously supplied more than one million pills to traffickers for distribution, resulting in dangerous opioids flooding the streets of this district,” stated United States Attorney Peace. “Today’s charges demonstrate this Office’s continued commitment to stemming the availability of illegal drugs and holding to account those who contribute to the epic tragedy that is the opioid epidemic.”

DEA Special Agent-in-Charge Tarentino warned the “DEA and our law enforcement partners will continue to hold DEA Registrants and other medical professionals to the highest possible standards and also hold them accountable when they knowingly endanger members of the community.”

“With this multi-million-dollar criminal scheme, it’s alleged the defendants made their profits off the vulnerabilities and addictions of their customers throughout New York City. Law enforcement partnerships like those seen here today have been and continue to be an integral part of stopping the flow of highly addictive narcotics into our communities,” stated IRS-CI Special Agent-in-Charge Fattorusso.

“Today’s charges show how diverted prescription drugs still fuel the opioid epidemic in New York. The Bureau of Narcotic Enforcement remains resolute in its commitment to work together with our federal and local law enforcement partners to disrupt and dismantle the criminal organizations that abuse the public’s trust in health care practitioners to move these dangerous and addictive pills from pharmacies to our neighborhoods,” stated BNE Director Vinciguerra.

Along with vigorous investigation and enforcement of providers and others involved in illegal distribution, federal and state authorities also have worked to tighten rules, standards and records keeping requirements for the legal prescription of opioids and other narcotics by physicians and other prescribers and stepped up disciplinary investigation and enforcement of these requirements. Billing for prescriptions of opioids beyond the parameters of tightened parameters also can trigger overprescribing and other allegations. Physician and other prescribers, pharmacists and pharmacies and other health industry participants should use care to establish and ensure they and their staff meticulously follow appropriate protocols and procedures to ensure their ability to defend their handling of opioid and other narcotic painkillers.

More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Health Care | Tagged: controlled substance, DEA, Drug Testing, drugs, false claims act, Health Care, Health Care Compliance, Health Care Fraud, Health Care Provider, Hospital, Medical Board, Medicare, pain management, pharmacist, pharmacy, Physician, Physicians, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

OCR Dental Practices Settlements Warn Providers To Honor HIPAA Access Rights

September 20, 2022

Today’s U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announcement of resolution agreements with three separate dental practices warns all health care providers, health plans and health care clearinghouses of the importance of complying with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s patient right of access and other federal and state mandates about providing patients and health plan members access to their records.

The following three resolution agreements OCR announced September 20, 2022 underscore the importance and necessity of compliance with the right of access and other HIPAA requirements:

Chicago-based Family Dental Care, P.C. (“FDC”), paid $30,000.00 to resolve potential OCR charges aiding from OCR’s investigation located in Chicago, Illinois. OCR received a complaint on August 8, 2020, alleging that FDC failed to provide a former patient with timely access to her complete medical records. The former patient requested her entire medical records in May 2020, but received only portions. The former patient filed a complaint with OCR, and during OCR’s investigation, FDC provided her with the remainder of her records in October 2020. Thus, FDC did not provide a complete copy of the records until more than five months after the request was made. OCR’s investigation determined that FDC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. FDC agreed to pay $30,000 and implement a corrective action plan.

Georgia based dental and orthodontics provider Great Expressions Dental Center of Georgia, P.C. (“GEDC-GA”) paid $80,000 to resolve concerns arising from OCR’s investigation of a November 2020 complaint alleging that GEDC-GA would not provide an individual with copies of her medical records because she would not pay GEDC-GA’s $170 copying fee. The individual first requested her records in November 2019, but did not receive them until February 2021, over a year later. OCR’s investigation determined that GEDC-GA’s failure to provide timely access to the requested medical records, and its practice of assessing copying fees that were not reasonable and cost-based, were potential violations of the HIPAA right of access provision. GEDC-GA agreed to pay $80,000 and implement a corrective action plan.

Las Vegas, Nevada dental practice B. Steven L. Hardy, D.D.S., LTD, doing business as Paradise Family Dental (“Paradise”) paid $25,000 to resolve potential violations uncovered after OCR investigated an October 26, 2020 complaint alleging that Paradise had failed to provide a mother with copies of her and her minor child’s protected health information. The mother submitted multiple record requests between April 11, 2020, and December 4, 2020, but Paradise did not send the records until December 31, 2020, more than eight months after her initial request. OCR’s investigation determined that Paradise’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. Paradise agreed to pay $25,000 and implement a corrective action plan.

The three newly announced resolution agreements bring to 41 the number of resolution agreements OCR has announced since announcing its program targeting access right violations. OCR call Rosov call Riedel access violations are the most common of all reported HIPAA violations.

OCR made clear its announcements of these resolution agreements to “send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law,” said OCR Director Melanie Fontes Rainer. “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.”

Health care providers as well as health plans should heed thus strong warning by ensuring their compliance with the HIPAA right of access as well as other applicable rules about providing patient and plan members copies of records or other data. for healthcare providers, you can please but are not limited to State medical records, ethics, and other rules and regulations. Or health plan, the HIPAA Records access rules are in addition to the Employee Retirement Invome Security Act mandates to provide plan records when requested.

If circumstances come to light that indicate a breach of the access or any other HIPAA standards, Covered Entities also promptly should work with legal counsel timely to investigate, determine and provide any required notifications or other corrective action and document their actions to meet applicable HIPAA and other legal obligations and mitigate liability.

Of course, all HIPAA-covered entities and their leaders always must keep in mind that their responsibilities and potential liability for mishandling protected health information could extend well beyond HIPAA. In addition to the civil monetary penalties HIPAA authorizes, mishandling the collection, protection or disposal of PHI or other sensitive data also can trigger other legal exposures. For instance, as HIPAA compliance is part of the Conditions of Participation that Medicare participating Covered Entities and Medicare Advantage Plans must meet to qualify for program participation, noncompliance could trigger program exclusion, False Claims Act or related exposures. Deficiencies in security or destruction of credit card, banking or other PHI that also qualifies as personal financial information could trigger exposure under Federal Trade Commission, state identity theft and privacy or other laws. Public companies and their leaders also may need to evaluate if deficiencies in their security or destruction protocols trigger investor disclosure obligations under Securities and Exchange Commission rules or other federal or state laws. Considering these and other exposures, documented, compliance and defensibility of PHI and other sensitive information use, protection, disclosure and destruction should rank high among the priorities of all Covered Entities and their leaders.

More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | dental, Health Care | Tagged: Compliance, DME, Electronic Health Records, Federal Sentencing Guidelines, Health Care, Health Care Provider, Health IT, Health Plan, Health Plans, Health Policy, HIPAA, HIPAA Privacy, HITECH Act, Home Care, Hospital, Hospitals, Medicaid, Medical Licensure, Medical Practice, Medicare, OCR, ONC, pain management, PBMs, Pharma, pharmacist, pharmacy, PHI, physical therapy, Physician, Physicians, Privacy, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

Learn About DOJ Federal Antitrust Health Industry Market Competition Enforcement & Latest On $2.67 Billion BCBS Class Action Antitrust Settlement In 9/8 JCEB Webex

September 2, 2022

As qualifying individuals and companies that purchased or received health insurance await instructions on how to claim their share of the $2.67 billion In re: Blue Cross Blue Shield Antitrust Litigation private federal class action civil antitrust lawsuit settlement (“Settlement”) finally approved August 9, 2022 against the Blue Cross Blue Shield Association (“BCBSA”) and other settling individual Blue Cross Plans, employers and other plan sponsors, health care systems and providers, health insurers, pharmacy benefit managers, brokerages, and other health and health insurance market participants need to keep in mind that the private antitrust judgements are not their only exposure under federal antitrust laws. Health insurance and health industry market participants that engage in anticompetitive conduct or business transactions also risk investigation and prosecution under federal antitrust laws by the U.S. Department of Justice, the Federal Trade Commission and state regulators or attorneys general.

Market participants and others with health or health insurance industry market competitiveness concerns or interests should register and attend the September 8, 2022 Justice Department Health Industry Antitrust Enforcement Update to learn about key federal antitrust statutes regulating or prohibiting anticompetitive conduct and business transactions and hear how the Department of Justice uses these laws to promote market competition in the health care and health insurance marketplaces.

Hosted by the American Bar Association Joint Committee on Employee Benefits, the webinar will feature a discussion by U.S. Department of Justice Civil Division Healthcare and Consumer Products Section Antitrust Attorney Natalie Melada of basic federal antitrust rules and principles the Justice Department relies upon to safeguard market competitiveness and discusses selected Justice Department antitrust litigation and other compliance and enforcement initiatives the Department of Justice has undertaken to protect competition in the healthcare industry. Attorney and Solutions Law Press, Inc. editor and author Cynthia Marcotte Stamer also will provide an update on the In re: Blue Cross Blue Shield Antitrust Litigation and resulting $2.67 billion settlement approved August 9.

For more details and to register for the program, see here.

More Information

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and following and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Academic medicine, Anethesiology, Antitrust, ASC, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data breach, Direct Primary Care, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Federal Sentencing Guidelines, Health Apps, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Licensure, Medical Records, Medicare, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, Outpatient, participating provider, Pharmaceudical, Pharmacy, Physician, Physician Licensing, physician licensure, Prescription Drugs, Privacy, Psychiatric, public health, Reproductive Rights, Rural Health Care, Self-Insured Group health Plans, Skilled Nursing Facility, substance abuse treatment | Tagged: Antitrust, Association, competition, Department of Justice, Employers, Group Purchasing Organizations, Health Care, Health Insurance, Health Plans, PBMs, Physician, Prescription Drugs, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Covered Entity Nailed With $300,000+ HIPAA Settlement For Improper PHI Disposal

August 23, 2022

A Massachusetts dermatology practice’s Health Insurance Portability & Accountability Act (“HIPAA”) $300,000 plus settlement with the Department of Health & Human Services Office for Civil Rights (OCR) reminds health care providers, health plans, health care clearinghouses and their business associates (“Covered Entities”) to use proper practices and safeguards when disposing of protected health information (“PHI”).

Following up on other OCR enforcement involving improper protection and disposal of paper and electronic PHI, the settlement with New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”) OCR announced today (August 23, 2022) resolves charges that NDELC violated the HIPAA Privacy Rules when it placed specimen containers with patient identifying PHI in its parking lot garbage bin.

OCR interprets HIPAA as requiring Covered Entities to appropriate steps to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public. ”Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer.

On May 11, 2021, NEDLC filed a breach report with OCR that reported empty specimen containers with the PHI on labels were placed in a garbage bin in their parking lot. The containers’ labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. On March 31, 2021, a third-party security guard found one specimen container bearing a label containing patient names, dates of birth, dates of sample collection, and name of the provider who took the specimen. During the investigation, NEDLC stated that from February 4, 2011 until March 31, 2021, it regularly discarded specimen containers with an attached label that contained PHI as regular waste, bagged and placed in an exterior dumpster accessible via the parking lot, without alteration to the PHI containing label.

OCR’s New England Regional Office found the practice of disposing of specimen containers with their labels containing PHI violated the HIPAA Privacy Rule including the impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI.

Under the NEDLC Resolution Agreement negotiated to settle the alleged violations, NEDLC paid $300,640 to OCR and agreed to implement a “robust” corrective action plan that includes two years of OCR monitoring. Among other things, the corrective action plan requires NEDLC to:

Within 60 days, develop, maintain, and revise, as needed and present for OCR review its written policies and procedures to comply with the physical safeguard and disposal of PHI created, received or maintained by or on behalf of NEDLC and all other HIPAA Privacy, Security and Breach Notification and training protocols to ensure workforce member compliance with these policies; and sanctions for workforce members violating these requirements;
Implement the updated policies and procedures within 30 days of receipt of HHS approval;
Distribute the policies to existing members of its workforce within 30 days of receipt of HHS approval of the policies and subsequently to new members of the workforce within 30 days of their beginning of service and obtain a signed written or electronic initial compliance certification from all members of the workforce and relevant business associates stating that the workforce members have read, understand, and shall abide by such policies and procedures;
Assess, update, and revise, as necessary, the policies and procedures at least annually or as needed, provide the revised policies and procedures to HHS for review and approval, and redistribute to and obtained new compliance certifications from workforce members and business associates within 30 days of HHS approval;
If it receives information during the Compliance Term that a workforce member or business associate may have failed to comply with its policies and procedures for safeguarding PHI, promptly investigate and it the investigation finds a violation, notify HHS within 30 days of the violation and corrective action taken;
Comply with specified breach investigation and notification requirements;
Provide reports certified by a designated leader of the organization its implementation of the corrective action plan, annually and upon the occurrence of certain other events during the two-year monitoring period.

The NEDLC Resolution Agreement is not the first time OCR has nailed a Covered Entity for improper disposal of PHI. In 2015 Cornell Prescription Pharmacy paid OCR $125,000 and implemented a correction action plan to correct alleged HIPAA violations after an OCR investigation of a local news report confirmed unsecured paper documents containing PHI of more than 1600 patients were disposed of in an unlocked, open container on Cornell’s premises. The documents were not shredded and contained identifiable information regarding specific patients. See Cornell Prescription Pharmacy Resolution Agreement. See also $800,000 HIPAA Settlement in Medical Records Dumping Case.

To reduce their own exposure to potential HIPAA liability arising from improper disposal of PHI, covered entities should evaluate the adequacy of the PHI handling, security and disposal policies, procedures, training and compliance for potential weaknesses and take appropriate, timely documented corrective action to tighten their compliance with OCR’s regulations, OCR’s Frequently Asked Questions About the Disposal and other OCR enforcement actions and guidance on PHI disposal.

Since these evaluations could uncover past or ongoing compliance concerns, Covered Entities and business associates should consider engaging legal counsel experienced with HIPAA compliance to advise and aid the Covered Entity to structure, conduct, evaluate findings and determine and implement any corrective actions that the review reveals as required or advisable within the scope of attorney client privilege.

Effective protection and disposal of PHI requires that Covered Entities recognize and keep track of all PHI in the various phases of its lifecycle in the organization including when it is being disposed or or migrating through various systems. Sanctions for disposal of specimen bottles containing PHI labels should raise the need for awareness of disposal practices for other patient labeled items including identification bracelets, medication containers and labels, meal trays and the plethora of other items containing patient specific information. PHI disposal issues also can arise out of the disposal of files, storage containers, computers, copiers or other devices. For instance, under the Affinity Health Plan, Inc. Resolution Agreement, Affinity Health paid OCR $1,215,780 to settle potential HIPAA Civil Monetary Sanctions after OCR found it exposed the PHI of up to 344,579 individuals by returning photocopiers to a leasing agent without erasing the data contained on the copier hard drives.

Because HIPAA obligations continue even when a Covered Entity or business associate goes out of business, Covered Entities also need to take appropriate steps to provide for ongoing management, protection and disposal of PHI when they or a business associate ceases business. Thus, in the FileFax Resolution Agreement, for instance the receiver appointed to liquidate the assets of Filefax, Inc. agreed to pay $ 100,000 out of the receivership estate to OCR to settle potential HIPAA violations after Filefax shut its doors during the course of OCR’s investigation into alleged HIPAA violations.

Covered Entities must understand that these responsibilities generally cannot be met merely through adoption of a standard set of policies and procedures from a third-party. The HIPAA Privacy Rule requires all Covered Entities to prepare and document risk assessments and develop and enforce appropriate privacy and security policies and procedures. Security and disposal practices and procedures are among the elements of HIPAA compliance that OCR expects Covered Entities to address in the documented risk assessments the regulations require Covered Entities to prepare and maintain. See $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis. As with other HIPAA compliance responsibilities, OCR regulations require that Covered Entities include their documented assessment and decision-making about the adequacy and reasonableness of their PHI protection and destruction practices under HIPAA as part of their overall HIPAA risk assessment plan and practices.

While OCR guidance provides some examples of several practices that a Covered Entity might use that could or could not meet the destruction standards, these examples are not safe harbors. The regulations and guidance expect Covered Entities to conduct a documented review and assessment “of their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and develop and implement policies and procedures to carry out those steps.” OCR guidance directs that Covered Entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. Covered entities are responsible for conducting and documenting their analysis as well as their adoption, implementation and enforcement of the resulting policies and procedures.

If circumstances come to light that indicate a breach of the standards in the course of the disposal compliance assessment or otherwise, Covered Entities also promptly should work with legal counsel timely to investigate, determine and provide any required notifications or other corrective action and document their actions to meet applicable HIPAA and other legal obligations and mitigate liability.

Of course, Covered Entities and their leaders always must keep in mind that their responsibilities and potential liability for mishandling PHI could extend well beyond HIPAA. In addition to the civil monetary penalties HIPAA authorizes, mishandling the collection, protection or disposal of PHI or other sensitive data also can trigger other legal exposures. For instance, as HIPAA compliance is part of the Conditions of Participation that Medicare participating Covered Entities and Medicare Advantage Plans must meet to qualify for program participation, noncompliance could trigger program exclusion, False Claims Act or related exposures. Deficiencies in security or destruction of credit card, banking or other PHI that also qualifies as personal financial information could trigger exposure under Federal Trade Commission, state identity theft and privacy or other laws. Public companies and their leaders also may need to evaluate if deficiencies in their security or destruction protocols trigger investor disclosure obligations under Securities and Exchange Commission rules or other federal or state laws. Considering these and other exposures, documented, compliance and defensibility of PHI and other sensitive information use, protection, disclosure and destruction should rank high among the priorities of all Covered Entities and their leaders.

More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Academic medicine, Anethesiology, ASC, Childrens Health Insurance Program, Conditions of Participation, Cyber crime, data breach, Direct Primary Care, Durable Medical Equipment, E-Prescribing, Electronic Medical Records, Employee Benefits, Health Apps, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Licensure, Medical Records, Medicare, Mental Health, Mental Heatlh, nursing home, occupational health, OCR, Outpatient, participating provider, Pharmaceudical, Pharmacy, Physician, Physician Licensing, physician licensure, Prescription Drugs, Privacy, Psychiatric, public health, Reproductive Rights, Rural Health Care, Self-Insured Group health Plans, Skilled Nursing Facility, substance abuse treatment | Tagged: Abortion, dobbs, Health Care, HIPAA, Physician, Protected Health Information, Reproductive Rights | Permalink
Posted by Cynthia Marcotte Stamer

Providers Should Use Care To Comply With New OCR HIPAA Reproductive Rights Disclosure Guidance

June 29, 2022

In response to the Supreme Court Dobbs vs. Jackson Women’s Health Organization abortion ruling the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued new guidance discussing when the protects patient reproductive health care records and information by health care providers, health plans, health care clearinghouses (“covered entities”) and their business associates.

The HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care guidance generally addresses when the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule restricts or allows individuals’ private medical information (known as “protected health information” or “PHI”) relating to abortion and other sexual and reproductive health care. The guidance does not discuss responsibilities if any of providers or other covered entities under other federal or state laws. Instead, the guidance directs concerned about their obligations to disclose information concerning abortion or other reproductive health care to seek legal advice regarding their responsibilities under other federal and state laws.

Regiarding HIPAA, the guidance begins with the reminder that HIPAA covered entities and business associates can use and disclose PHI without an individual’s signed authorization, only on the narrow circumstances expressly permitted or required by the Privacy Rule.

The guidance goes on to explain when the Privacy Rule allows disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety. In keeping with the Biden Administration announced commitment to work to preserve the availability of abortion against restriction by state laws banning or restricting abortion rights following the Supreme Court’s decision, the guidance invites health care providers to resist disclosures HIPAA permits by making a point of saying that these exceptions are permitted but not required in bold language.

Disclosures Required by Law

The Privacy Rule permits but does not require covered entities to disclose PHI about an individual without the individual’s authorization, when the disclosure is required by another law and the disclosure complies with the requirements of the other law.9

The guidance states the HIPAA permission to disclose PHI as “required by law” is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.”10 Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law.11 Disclosures of PHI that do not meet the “required by law” definition in the HIPAA Rules,12 or that exceed what is required by such law, do not qualify as permissible disclosures.13

The guidance provides the following example:

An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.

Disclosures for Law Enforcement Purposes

The guidance also discusses when HIPAA allows disclosure of PHI for law enforcement purposes.

The Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes “pursuant to process and as otherwise required by law” only under certain conditions.14. As an example, the guidance states a covered entity may respond to a law enforcement request made through such legal processes as a court order or court-ordered warrant, or a subpoena or summons, by disclosing only the requested PHI, provided that all of the conditions specified in the Privacy Rule for permissible law enforcement disclosures are met.15

In the absence of a mandate enforceable in a court of law,16 the Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s workforce member chose to report an individual’s abortion or other reproductive health care. That is true whether the workforce member initiated the disclosure to law enforcement or others or the workforce member disclosed PHI at the request of law enforcement.17 OCR states this is because, state laws generally do not require doctors or other health care providers to report an individual who self-managed the loss of a pregnancy to law enforcement.18 Also, state fetal homicide laws generally do not penalize the pregnant individual, and “appellate courts have overwhelmingly rejected efforts to use existing criminal and civil laws intended for other purposes (e.g., to protect children) as the basis for arresting, detaining, or forcing interventions on pregnant” individuals.19 ,20

OCR illustrates its position with the following examples.

A law enforcement official goes to a reproductive health care clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
A law enforcement official presents a reproductive health care clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only the PHI expressly authorized by the court order.

Disclosures to Avert a Serious Threat to Health or Safety

The guidance also points out that the Privacy Rule permits but does not require a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat.21 OCR’s guidance states that the American Medical Association and American College of Obstetricians and Gynecologists and other professional bodies, professional standards of ethical conduct treat as unethical a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care.22

OCR illustrates its interpretation with the following example:

A pregnant individual in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. However, the Privacy Rule would not permit this disclosure of PHI to law enforcement under this permission for several reasons, including:

A statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health or safety of a person or the public.

It generally would be inconsistent with professional ethical standards as it compromises the integrity of the patient–physician relationship and may increase the risk of harm to the individual.

Accordingly the guidance concludes, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.

Disclosures in Litigation

Healthcare providers another covered entities also should anticipate becoming parties to or being asked to provide testimony or records for private litigation among parties over abortion or other reproductive rights as a result of the recent decision.

Whether participating as a party to litigation or responding to request to provide testimony or other evidence that includes confidential health information or other protected health information on reproductive rights, Healthcare providers and other HIPAA covered entities in business associates should be careful to ensure all requirements of HIPAA are met before sharing any information or records.

When a plaintiff or defendant in a legal proceeding, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations under 45 CFR 164.501. Covered entities and business associates must keep in mind, however, that they cannot share protected health information with their legal counsel until the legal counsel enters into a business associate agreement that meets the requirements of HIPAA.

Before sharing PHI in response to a subpoena or other litigation associated request, covered entities and business associates also generally must provide notice to the subject of the PHI and must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose. See 45 CFR 164.502(b), 164.514(d). In light of these requirements, covered entities and business associates dealing with these requests generally will want to seek the advice of a lawyer and may need to consider pursuing a protective order for requests for testimony or evidence containing PHI without authorization from the subject.

Covered Entities Should Use Care To Protect & Prevent Improper Disclosure

Providers, health plans and other covered entities and business associates should exercise height in Care when dealing with the use or disclosure of records or information on abortion or other reproductive rights and their activities associated with that care.

HIPAA is one of many legal land mines providers and other covered entities must avoid when addressing abortion or other reproductive care following the Dobbs decision. The Supreme Court decision holding the Constitution does not guarantee a right to abortion creates many more questions than answers. With parties on all sides of the question energized with activism, covered entities and business associates dealing with abortion and other reproductive health concerns should prepare to defend their actions both against legal challenges and political harassment. In this charged environment, healthcare providers and other covered entities and business associates healthcare providers and other covered entities and business associates handling records or other abortion or reproductive health concerns should prepare to face questions and demands for information regardless of how they choose to proceed. Accordingly, most healthcare providers and other covered entities will want engage legal counsel with experience with HIPAA and other health care experience to discuss these concerns and develop a plan of action within the scope of attorney-client privilege.

More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Health Care | Tagged: Abortion, dobbs, Health Care, HIPAA, Physician, Protected Health Information, Reproductive Rights | Permalink
Posted by Cynthia Marcotte Stamer

6 Texas Physicians Face Federal Health Care Fraud Charges For Alleged Improper Kickbacks & Lab Testing Claims

May 29, 2022

The Department of Justice sent another strong warning to physicians and other health care provides not to violate the False Claims Act by making improper patient referrals in violation of the Anti-Kickback Statute and the Stark Law, billing federal health care programs for medically unnecessary laboratory testing or other services or both when charged six Texas physicians with federal health care fraud this week. The prosecution of the physicians for laboratory tests arranged and billed through management services organizations also reminds physicians and other providers that reliance upon management services or other third-party service providers generally does not protect a physician participating in prohibited laboratory or other testing, durable medical equipment, facility, physical therapy or other health care billing or referral arrangements from liability.

Charges Against Texas Physicians

This week, the Justice Department added the following six physicians as defendants to criminal charges filed in a False Claims Act complaint filed in January 2022 against former True Health Diagnostics LLC (THD) CEO Christopher Grottenthaler, former Boston Heart Diagnostics Corporation (BHD) CEO Susan Hertzberg, former LRH CEO Jeffrey Madison, and others:

Doyce Cartrett, Jr., M.D., of Silsbee, Texas, allegedly received over $320,000 from LRH and two management services organizations or “MSOs,” Ascend MSO of TX LLC (Ascend) and Eridanus MG LLC (Eridanus), in return for his referrals.
Elizabeth Seymour, M.D., of Corinth, Texas, allegedly received over $280,000 from two MSOs, Ascend and Eridanus, in return for her referrals.
Emanuel Paul “E.P.” Descant, II, M.D., of Spring, Texas, allegedly received over $125,000 from two MSOs, North Houston MSO and Tomball Medical Management Inc., in return for his referrals.
Frederick Brown, M.D., of Missouri City, Texas, allegedly received over $190,000 from two MSOs, Ascend and Indus MG LLC (Indus), in return for his referrals.
Heriberto Salinas, M.D., of Cleburne, Texas, allegedly received over $75,000 from two MSOs, Ascend and Herculis MG LLC (Herculis), in return for his referrals.
Hong Davis, M.D., of Lewisville, Texas, allegedly received over $70,000 from two MSOs, Ascend and Herculis, in return for her referrals.

The complaint in United States, et al. ex rel. STF, LLC v. True Health Diagnostics, LLC, et al., No. 4:16-cv-547 (E.D. Tex.) charges that small Texas hospitals including Rockdale Hospital dba Little River Healthcare (LRH), THD, BHD, the six physicians and others conspired to pay physicians to induce referrals to the hospitals for laboratory testing performed by THD or BHD. The charges stem from allegations made under the qui tam or whistleblower provisions of the False Claims Act by STF LLC by Felice Gersh, M.D. and Chris Riedel. The United States intervened in the qui tam action in December 2021.

The complaint alleges the charged hospitals paid a portion of their laboratory profits to recruiters, who in turn kicked back those funds to the referring physicians through MSOs allegedly set up by the recruiters to make payments to referring physicians. The Justice Department charges the alleged kickbacks were disguised as investment returns but actually were based on, and offered in exchange for, the physicians’ referrals. The complaint alleges that laboratory tests resulting from this referral scheme were billed to various federal health care programs, and that the claims not only were tainted by improper inducements but, in many cases, also involved tests that were not reasonable and necessary.

The Justice Department reports that before adding charges against the six physicians to the complaint this week, the Justice Department recovered more than $31 million relating to conduct involving BHD, THD and LRH, including False Claims Act settlements with 29 physicians, two health care executives and a laboratory company.

Health Care Fraud Liability Under False Claims Act, Anti-Kickback Statute, Stark Law

The Anti-Kickback Statute prohibits offering, paying, soliciting or receiving remuneration to induce referrals of items or services covered by Medicare, Medicaid and other federally-funded programs. The Stark Law forbids a hospital or laboratory from billing Medicare for certain services referred by physicians that have a financial relationship with the hospital or laboratory. The Anti-Kickback Statute and the Stark Law seek to ensure that medical providers’ judgments are not compromised by improper financial incentives and are instead based on the best interests of their patients.

The False Claims Act prohibits health care providers from billing federal health care programs for services resulting from referrals prohibited by the Anti-Kickback Statute or the Stark law.

Under the False Claims Act, a private party can file an action on behalf of the United States and receive a portion of the recovery. The False Claims Act also allows the Justice Department to intervene in such lawsuits and add claims and defendants, as happened in this litigation. The qui tam case is captioned United States, et al. ex rel. STF, LLC v. True Health Diagnostics, LLC, et al., No. 4:16-cv-547 (E.D. Tex.). If a defendant is found liable for violating the act, the United States may recover three times the amount of its losses plus applicable penalties.

The United States’ pursuit of this lawsuit illustrates the government’s emphasis on combating health care fraud generally with a special emphasis on physicians. For instance, U.S. Attorney Brit Featherston is quoted as saying, “Schemes that funnel health care referrals do not work without the participation of physicians. … They are not merely passive players in these elaborate schemes, but an integral part, without which the scheme could not exist. Our office is committed to rooting out health care fraud by pursuing all players involved the scheme, from the laboratories and their leaders to the marketers and the physicians who make it all possible. Naming these physicians in the complaint is evidence of that commitment.”

Given this clear warning, physicians and other prescribers, as well as recruiting, billing and management services organizations, laboratories and others involved in recruiting and marketing, providing or billing for laboratory or other services to double check the appropriateness of their referral and other practices keeping in mind that the Anti-Kickback Statute and Stark Law prohibitions against direct and indirect compensation can reach to a wide range of subtle value and benefits in addition to the obvious payment of cash or gifts delivered in a multitude of ways. The prosecution of these physicians for referrals made and compensation delivered under management services contracts also clearly warns physicians and other providers against expecting their reliance upon billing, management services or other staff or management service providers to shield them from liability if an improper referral or payment happens.

More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | Anti-KickBack, billing, Centers For Disease Control, Conditions of Participation, DME, Doctor, Durable Medical Equipment, E-Prescribing, false claims act, Federal Sentencing Guidelines, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, healthcare, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Laboratory tests, Licensing, Medical Licensure, Medical Malpractice, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Money Laundering, nursing home, OIG, Opiates, Pharmaceudical, Physician, Physician Licensing, Reimbursement, Stark, Substance Abuse | Tagged: Federal Sentencing Guidelines, Opiate, pain management, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Federal Convictions Of Physicians Highlight Need For Care In Opiate & Other Pain Management Prescribing & Billing

March 4, 2022

Physicians and other health care prescribers must remain hyper vigilant when prescribing, documenting, billing and managing opiate and other pain management prescriptions and patients. That’s the clear message sent by the ever-growing wave of federal prosecutions and convictions like the March 2, 2022 federal conviction of Tennessee physician Mark Murphy and his wife, Jennifer Murphy and his wife for unlawfully distributing opioids, providing unnecessary services and defrauding insurers from their now-shuttered North Alabama Pain Services clinics (“NAPS”) and March 1, 2022 sentencing of former physician Patrick Titus to 20 years in prison for his conviction of unlawful distribution of opioid drug outside the usual scope of professional practice and not for legitimate medical purposes as part of the his internal medicine practice.

Tennessee Doctor & Wife Convicted of Pain Management Related Unlawful Opioid Distribution, Health Care Fraud & Other Criminal Charges

The March 2 federal jury conviction of Dr. and Ms. Murphy stemmed from their ownership and operation of their now-defunct pain management clinics resulted from evidence gathered through a joint investigation by the Federal Bureau of Investigation, the Department of Health & Human Services Office of Inspector General, the Internal Revenue Service, and the Drug Enforcement Agency.

During the resulting jury trial, federal prosecutors presented evidence that during the five-year period leading up to the clinic closing its Alabama locations in 2017, Dr. Murphy and Ms. Murphy, who was the office manager, caused over $50 million in fraudulent or unnecessary medical services to be charged to Medicare, TRICARE, Blue Cross Blue Shield of Alabama and others. Evidence at trial showed that NAPS provided pre-signed prescriptions to thousands of patients a month, including prescriptions written outside the usual course of professional practice without a legitimate medical purpose. Federal prosecutors also introduced evidence that the Murphys also solicited and received unlawful payments for referring fraudulent or unnecessary services to patients.

Based on the evidence, the jury found both Dr. and Ms. Murphy guilty on numerous criminal charges including:

Conspiracy to unlawfully distribute and unlawful distribution of controlled substances;
Conspiracy to commit and commission of health care fraud;
Conspiracy to defraud the United States; and
Receiving illegal kickbacks in violation of the Anti-Kickback Statute.

Ms. Murphy also was convicted of tax-related charges for underreporting clinic income.

Currently scheduled for sentencing in June, the Murphys each face a maximum of 20 years in prison for the drug charges and a maximum of 10 years in prison for the health care fraud charges. Both defendants also face a maximum of five years in prison for charges stemming from violations of the Anti-Kickback Statute, and Ms. Murphy faces up to three years in prison for the tax charges.

Former Delaware Doctor Sentenced to 20 Years in Prison for Unlawful Opioid Distribution

The Murphy’s jury conviction came one day after the sentencing of former to 20 years in prison for his July 2021 federal jury conviction on 13 counts of unlawfully distributing and dispensing controlled substances and one count of maintaining a drug-involved premises.

Federal prosecutors presented evidence in court documents and trial that Dr. Titus unlawfully distributed or dispensed opioid drugs including fentanyl, morphine, methadone, OxyContin and oxycodone outside the usual scope of professional practice and not for legitimate medical purposes as part of the his internal medicine practice. The Justice Department charged Dr. Titus frequently prescribed these dangerous controlled substances in high dosages, sometimes in combination with each other or in other dangerous combinations, mostly in exchange for cash. Evidence at trial showed he distributed over 1 million opioid pills without providing any meaningful medical care and to patients he knew were suffering from substance use disorder and/or who demonstrated clear signs that the prescribed drugs were being abused, diverted or sold on the street.

Health Care Fraud Task Force Targeting Opioid Distribution, Billing, & Related Misconduct

Both the Murphy and Titus prosecutions and convictions are two of a growing series of convictions resulted from investigations into opioid and other pain management prescribing conducted as part of efforts targeting physicians and other health care providers involved in prohibited the federal Health Care Fraud Strike Force Program. See e.g., Medical Director Convicted in $110 Million Addiction Treatment Fraud Scheme.

The Federal agencies made a point of warning to other physicians not to overprescribe, bill or engage in other prohibited dealings involving opioids or other controlled substances when announcing the Titus sentencing.

“As we continue the fight against the opioid crisis, this case serves as an important reminder that health care professionals have a duty to prescribe medication responsibly to ensure the well-being of individuals under their care. Failing to do so can endanger patients and undermines critical, ongoing public health measures,” said Special Agent in Charge Maureen Dixon of the U.S. Department of Health and Human Services, Office of the Inspector General (HHS-OIG). “HHS-OIG will continue to work with our law enforcement partners to hold bad actors accountable.”

“This sentence is a reminder that the Department of Justice will hold accountable those doctors who are illegitimately prescribing opioids and fueling the country’s opioid crisis,” said Assistant Attorney General Kenneth A. Polite Jr. of the Justice Department’s Criminal Division. “Doctors who commit these unlawful acts exploit their roles as stewards of their patients’ care for their own profit.”

“DEA-registered medical practitioners have an important role in our communities to treat patients compassionately and responsibly,” said DEA Administrator Anne Milgram. “Today’s sentencing makes clear that medical professionals who recklessly prescribe opioids and endanger the safety and health of patients will be held accountable.”

More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Leave a Comment » | billing, Centers For Disease Control, Conditions of Participation, Controlled Substances, Corporate Compliance, DEA, Doctor, drug treatment, E-Prescribing, Evidence Based Medicine, false claims act, FDA, Federal Sentencing Guidelines, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, health care reimbursement, Health Plan, Health Plans, healthcare, hemp, HHS, Home Health, home health, Hospice, Hospital, Hospital, hospitals, Licensing, managed care, marijuana, Medical Licensure, Medical Malpractice, Medical Records, Medicare, Medicare Advantage, Medicare Prescription Drug Program, Mental Heatlh, Money Laundering, Monopoly, OIG, Opiates, pain management, Physician, Physician Licensing, Prescription Drugs, Reimbursement, Substance Abuse | Tagged: Federal Sentencing Guidelines, Opiate, pain management, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Biden-Harris Administration to Expand Vaccination Requirements for Health Care and Many Other Employers

September 9, 2021

All Medicare and Medicaid certified health care facilities, and a broad range of other employers must prepare to meet impending new federal COVID-19 vaccine mandates announced by the Biden-Harris Administration today.

According to today’s announcements all healthcare facilities participating in Medicare or Medicaid or employing 100 or more employees will be required to ensure all staff are vaccinated against COVID-19.

The Biden-Harris Administration says the new health industry COVID-19 vaccine mandates will be implemented through emergency regulations to be issued in October.

According to today’s announcement, the Centers for Medicare & Medicaid Service (“CMS”) in collaboration with the Centers for Disease Control (“CDC”) is developing an Interim Final Rule with Comment Period that will be issued in October that will extend vaccine mandates originally announced last month for all Medicare and Medicaid participating nursing home workers to include hospitals, dialysis facilities, ambulatory surgical settings, and home health agencies, among others, as a condition for participating in the Medicare and Medicaid programs. See CMS/CDC Mandating COVID Vaccination For All Nursing Home Staff.

The announcement of the vaccine mandates for healthcare workers coincides with the Biden-Harris Administration’s announcement of sweeping new vaccine mandates for all government workers, government contractors and employers employing more than 100 employees.

The two mandates will force most health care facilities to impose mask mandates for all staff in order to meet the requirement all staff be vaccinated.

CMS and CDC say the decision was based on the continued and growing spread of the virus in health care settings, especially in parts of the U.S. with higher incidence of COVID-19. They claim the action will protect patients of the 50,000 providers and over 17 million health care workers in Medicare and Medicaid certified facilities.

According to the CDC, nursing homes with an overall staff vaccination rate of 75% or lower experience higher rates of preventable COVID infection. In CMS’s review of available data, the agency is seeing lower staff vaccination rates among hospital and End Stage Renal Disease (ESRD) facilities. To combat this issue, CMS is using its authority to establish vaccine requirements for all providers and suppliers that participate in the Medicare and Medicaid programs. Vaccinations have proven to reduce the risk of severe illness and death from COVID-19 and are effective against the Delta variant.

In it’s announcement of the impending vaccination requirements, CDC urged health care facilities to prepare now to meet the new mandate in October. CMS expects certified Medicare and Medicaid facilities to act in the best interest of patients and staff by complying with new COVID-19 vaccination requirements.

CDC also urged any health care workers employed in these facilities who are not currently vaccinated are urged to begin the process immediately and facilities to use all available resources to support employee vaccinations, including employee education and clinics, as they work to meet new federal requirements.

While legal challenges to the mandate requirements are likely, most facilities that have not already adopted vaccine mandates are expected to adopt these mandates rather than risk losing eligibility for Medicare and Medicaid reimbursement and other sanctions.

Beyondprogram disqualification and attendant financial pressures, announcement of the new vaccine mandates adds vaccination to the list of safety safeguards that healthcare facilities as employers can expect to be required to enforce as part of the occupational safety rules of the Occupational Safety and Health Administration (”OSHA”).

OSHA already is sanctioning employers for violating COVID-19 related OSHA requirements. For instance, OSHA nailed Lakewood Resource and Referral Center Inc., dba Center for Education Medicine and Dentistry (CHEMED) with heavy fines for allegedly violating applicable COVID-19 safety guidelines in January, 2021.

In a July 23, 2021 citation letter, OSH proposes to fine CHEMED $273,064.00 for willfully violating OSHA by not providing a medical evaluation to determine each employee’s ability to use a N95 respirator, before the employee was fit tested or required to use the respirator in the workplace to protect against SARS-CoV-2 virus while testing suspected COVID-19 individuals.

In addition to the proposed fine, the citation also orders CHEMED to take a series of corrective actions and to post notices in the workplace informing workers of the violation.

Along with the CHEMED citation, OSH also cited a staffing agency contracted to provide nursing staffing to CHEMED, Homecare Therapies for also failing to conduct medical evaluations and fit tests. It received two violations and a proposed fine of $13,653.

In the face of these potential consequences, most covered health care facilities and other employers impacted by the mandate are likely to implement mandates unless and until these requirements are struct down by the courts or withdrawn.

Assuming the Administration follows appropriate procedures to adopt the rules, most legal commentators do not expect the legal challenges opposing the mandate orders to be successful in the courts particularly after the Supreme Court refused to overturn or hear arguments for overturning a unanimous decision of a three-judge panel of the United States Court of Appeals for the Seventh Circuit in Klassen v. Trustees of Indiana University that refused to enjoin a vaccine mandate imposed by Indiana University as a condition of student or staff in person participation in classes or other activities.

While most healthcare and other covered businesses are not expected to challenge the rules, compliance us likely to trigger backlash from some unvaccinated workers strongly opposed to becoming vaccinated. Employers may find that some employees will resign their employment or take other tactics to avoid becoming vaccinated. Even those who elect to become vaccinated to retain their employment are likely to express opposition and dissatisfaction that could create liability exposures for the employers if it becomes a basis for retaliation claim.

Employers in Texas and certain other states that have adopted rules restricting or prohibiting vaccine, mask or other mandates also may face challenges based on the state rules.

In light of these and other uncertainties and challenges, Healthcare and Other or Employers generally should seek legal advice and assistance from legal counsel experienced with the relevant health care, labor and employment, privacy and other concerns.

More Information

This article is republished by permission of the author, Cynthia Marcotte Stamer. To review the original work, see here.

Solutions Law Press, Inc. invites you to receive future updates by registering here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. For specific information about the these or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.

Most widely recognized for her work with health care, life sciences, insurance and data and technology organizations, she also has worked extensively with health plan and insurance, employee benefits, financial, transportation, manufacturing, energy, real estate, accounting and other services, public and private academic and other education, hospitality, charitable, civic and other business, government and community organizations. and their leaders.

Ms. Stamer has extensive experience advising, representing, defending, and training domestic and international public and private business, charitable, community and governmental organizations and their leaders, employers, employee benefit plans, their fiduciaries and service providers, insurers, and others has published and spoken extensively on these concerns. As part of these involvements, she has worked, published and spoken extensively on these and other human resources, employee benefits, compensation, worker classification and other workforce and other services; insurance; health care; workers’ compensation and occupational disease; business reengineering, disaster and distress; and many other performance, risk management, compliance, public policy and regulatory affairs, and other operational concerns.

A former lead advisor to the Government of Bolivia on its pension project, Ms. Stamer also has worked internationally and domestically as an advisor to business, community and government leaders on these and other legislative, regulatory and other legislative and regulatory design, drafting, interpretation and enforcement, as well as regularly advises and represents organizations on the design, administration and defense of workforce, employee benefit and compensation, safety, discipline, reengineering, regulatory and operational compliance and other management practices and actions.

Ms. Stamer also serves in leadership of a broad range of professional and civic organizations and provides insights and thought leadership through her extensive publications, public speaking and volunteer service with a diverse range of organizations including as Chair of the American Bar Association (“ABA”) Intellectual Property Section Law Practice Management Committee, Vice Chair of the International Section Life Sciences and Health Committee, Past ABA RPTE Employee Benefits & Other Compensation Group Chair and Council Representative and current Welfare Benefit Committee Co-Chair, Past Chair of the ABA Managed Care & Insurance Interest Group, past Region IV Chair and national Society of Human Resources Management Consultant Forum Board Member, past Texas Association of Business BACPAC Chair, Regional Chair and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation and many others.

For more information about these concerns or Ms. Stamer’s work, experience, involvements, other publications, or programs, see www.cynthiastamer.com, on Facebook, on LinkedIn or Twitter or e-mail here.

About Solutions Law Press, Inc.™

Leave a Comment » | Accreditation, ambulance, Ambulatory care, Anethesiology, Biological Warfare, CDC, Centers For Disease Control, Child Care, Conditions of Participation, Coronavirus, Corporate Compliance, Covid, Direct Primary Care, Disease Management, DME, Doctor, early childhood education, Emergency Care, Employer, Employment law, Health Care, Health Care Provider, Health Care Quality, health care reimbursement, Health Plan, healthcare, HHS, Home Health, home health, Hospice, Hospital, hospitals, Indian Health, Laboratory tests, Life Sciences, Medicaid, Medicaid Advantage, Medical Licensure, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Heatlh, nursing home, occupational health, OSHA, Pandemic, Peer Review, Physician, Reimbursement, Union, vaccination | Tagged: ARRA, Corporate Compliance, Covid, DOJ, Health Care, Health Care Fraud, Health Care Provider, HEAT, Hospital, Medicaid, Medicare, Medicare Fraud Task Force, OCR, Pharma, pharmacist, pharmacy, Physician, Physicians, Privacy, Reimbursement, vaccine, vaccine mandate | Permalink
Posted by Cynthia Marcotte Stamer

CMS/CDC Mandating COVID Vaccination For All Nursing Home Staff

August 18, 2021

The Centers for Medicare & Medicaid Services (CMS), in collaboration with the Centers for Disease Control and Prevention (CDC), announced today plans to mandate COVID-19 vaccination for all Medicare and Medicaid-participating nursing home staff.

The joint announcement released today states the agencies are developing an emergency regulation requiring staff vaccinations within the nation’s more than 15,000 Medicare and Medicaid-participating nursing homes.

The agencies view the new requirement as a key component of protecting the health and safety of nursing home residents and staff.

Today’s action is in keeping with CMS’s authority to establish requirements to ensure the health and safety of individuals receiving care from all providers and suppliers participating in the Medicare and Medicaid programs. About 62% of nursing home staff are currently vaccinated as of August 8 nationally, and vaccination among staff at the state level ranges from a high of 88% to a low of 44%. The emergence of the Delta variant in the United States has driven a rise in cases among nursing home residents from a low of 319 cases on June 27, to 2,696 cases on August 8, with many of the recent outbreaks occurring in facilities located in areas of the United States with the lowest staff vaccination rates.

In May, the Agency issued new regulations that require Long-Term Care (LTC) facilities and Intermediate Care Facilities for Individuals with Intellectual Disabilities (ICFs/IID) to educate residents, clients, and staff about COVID-19 vaccination and, when available, offer a COVID-19 vaccine to these individuals. These regulations also mandate that LTC facilities report weekly COVID-19 vaccination data for residents and staff to the CDC’s National Healthcare Safety Network (NHSN).

Today’s announcement states the agencies will continue to analyze vaccination data for residents and staff from the CDC’s National Healthcare Safety Network (NHSN) data as an additional method of compliance monitoring and in keeping with current practice, as well as deploy the Quality Improvement Organizations (QIOs)—operated under the Medicare Quality Improvement Program—to educate and engage nursing homes with low rates of vaccinations.

Meanwhile, the announcement strongly encourages nursing home residents and staff members to get vaccinated as the Agency undergoes the necessary steps in the rule-making process over the course of the next several weeks. CMS expects nursing home operators to act in the best interest of residents and their staff by complying with these new rules, which the Agency expects to issue in September.

According to today’s announcement, CMS also expects nursing home operators to use all available resources to support employees in getting vaccinated, including employee education and vaccination clinics, as they work to meet this staff vaccination requirement.

More Information

This article is republished by permission of the author, Cynthia Marcotte Stamer. To review the original work, see here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.

About Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, Centers For Disease Control, Conditions of Participation, Covid, Doctor, Employer, Employment, Employment law, Federal Health Center, Health Care, Health Care Finance, Health Care Provider, Health Care Quality, health care reimbursement, Health Policy, healthcare, HHS, Hospice, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Licensing, long-term care, Medicaid, Medicaid Advantage, Medicare, Medicare Advantage, Mental Health, nursing home, OSHA, Physician, Public Policy, quality reporting, Reimbursement, Skilled Nursing Facility, substance abuse treatment, Whistleblower | Tagged: Health Care, Hospital, Covid, Long-term care, Medicare, nursing home, Physician, vaccination | Permalink
Posted by Cynthia Marcotte Stamer

CMS Updates COVID-19 Accelerated and Advance Payments FAQs

July 8, 2021

Providers that received COVID-19 accelerated and advance payments should read the Centers for Medicare and Medicaid Services (“CMS”) updated FAQs (PDF) about repayment of COVID-19 accelerated and advance payments to learn how recoupment works and how it affects the provider’s Medicare claims payment amounts.

The new FAQ updates the Repayment of COVID-19 Accelerated and Advance Payments Began on March 30, 2021 (PDF) guidance.

For more information and to follow future updates, see the COVID-19 Accelerated and Advance Payments webpage or contact the author of this update.

More Information

If you are interested in a more detailed description of this or other developments discussed in this article, see here.

If you would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. For specific information or counsel about the these or other legal, management or public policy developments, Ms. Stamer’s work, experience, involvements, other publications, or programs, contact Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297, follow her on Facebook, LinkedIn or Twitter or see Cynthia Marcotte Stamer, P.C. Website.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.

Ms. Stamer has extensive experience advising, representing, defending and training domestic and international public and private health care and life sciences, charitable, community and governmental, and other business organizations and their leaders, employee benefit plans, their fiduciaries and service providers, insurers, and others. A widely published author and popular speaker, Ms. Stamer also has published and spoken extensively on wage and other and other health care, human resources, employee benefits and other workforce and services; insurance; workers’ compensation and occupational disease; business reengineering, disaster and distress; and many other compliance, governance, risk management, operational and public and regulatory affairs concerns.

A former lead advisor to the Government of Bolivia on its pension project, Ms. Stamer also has worked internationally and domestically as an advisor to health, managed care, insurance, and other business, community and government leaders on these and other legislative, regulatory and other legislative and regulatory design, drafting, interpretation and enforcement, as well as regularly advises and represents organizations on the design, administration and defense of workforce, employee benefit and compensation, safety, discipline, reengineering, regulatory and operational compliance and other management practices and actions.

About Solutions Law Press, Inc.™

Leave a Comment » | Academic medicine, American Rescue Plan Act of 2021, Anti-KickBack, billing, Centers For Disease Control, compensation, Conditions of Participation, Coronavirus, Corporate Compliance, COVID-19, Doctor, E-Prescribing, Emergency Care, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Insurance, Health Plan, Health Plans, healthcare, HHS, Home Health, home health, Hospital, hospitals, Indian Health, Medicaid, Medicare, Medicare Advantage, Medicare Fee Schedule, OIG, Pandemic, Physician, public health, Reimbursement, Uncategorized | Tagged: COVID-19, Health Care, Health Care Fraud, Medicare, Physician, recoupment, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

Participate In October 8 Free Kickin’ COVID-19: Reopening Texas Summit On Facebook Live

October 2, 2020

A Virtual Summit For Texas Families & Business, Community and Government Leaders On Safely Keeping Texas Working During COVID-19 And Other Pandemics

Presented Via Facebook Live

October 8, 2020

11:00 a.m. – 1:30 p.m. Central Daylight Time

Supercharge your ability to get back to business safely during the COVID-19 and other pandemic health care emergencies by joining other business, community and government leaders online at the Kickin’ COVID-19: Reopening Texas Summit, a free virtual event scheduled on Thursday October 8, 2020 from 11:00 a.m. to 1:30 p.m. Central Daylight Time on Facebook Live.

Solutions Law Press, Inc. PROJECT COPE: COALITION ON PATIENT EMPOWERMENT is happy to join in presenting the Kickin’ COVID-19: Reopening Texas Summit on October 8, 2020 on Facebook Live from 11:00 a.m.-1:30 p.m. Central Time, a free virtual Summit to discuss and share critical tools, information and perspectives to help American citizens, businesses, schools, health care providers, government organizations and leaders and communities better understand options to safely and responsibly do business and get on with life during the COVID-19 and other pandemic outbreaks.

ABOUT THE SUMMIT

Scheduled to be broadcast live on Facebook Live at from 11:30 a.m. to 1:30 p.m. Central Time, the Summit and its resources are designed to empower and inform individuals and families, businesses, schools, churches and other communities and our government leaders about options to continue safe and responsible reopening of Texas and America.

The Summit provides a uniquely valuable opportunity to hear a panel a leading biomedical expert and a panel of other business, community and government leaders share how the COVID-19 health care emergency is affecting their operations, their experiences and strategies reopening in response to these challenges, and their perceptions about the other tools and actions that their organizations for their operations and Texas to reopen and operate safely during the COVID-19 or other pandemic outbreaks. Participants will:

Hear leading biomedical expert James Burgess objectively explain the science of COVID-19 and other pandemic risks and their management;
Hear a panel of key business, community and government leaders discuss how COVID-19 impacts their operations, their response, and their thoughts about what their organizations and Texas need to safely resume operations; and
View and explore a portable pandemic containment unit and other exhibits demonstrating science based pandemic prevention and management tools promoting safe resumption of operations;
Join the fireside chat between the panel and live audience of business, community and government leaders discuss practical challenges and opportunities for business, community and government leaders separately or collaboratively can help expedite and support the recovery of their own and other businesses, communities, people and economy from the COVID-19 and future pandemics; and
Collaborate with other business, government and community leaders on reopening and keeping our businesses, governments, communities and economies open and thriving despite the COVID-19 or another pandemic.

Confirmed panelists include:

Biomedical engineer James Burgess, Chief Executive Officer, American Biomedical Group, Inc.

Susan Fletcher, Collin County Commissioner, Precinct 1; Gubernatorial Appointee TCDRS

George C. Fuller, Owner The Guitar Center and The Sanctuary Music & Events Center; Mayor of McKinney, Texas

Traci Mayer, Executive Director, Hotel Association of North Texas

Pam Minick, Executive Vice President of Marketing, Billy Bob’s Texas

Michael Simmons, CISSP, CISM, CISA, CRISC, Managing Director – Technology, Chief Information Security Officer, Southwest Airlines

Cynthia Marcotte Stamer, Executive Director, Project COPE Coalition; Managing Shareholder, Cynthia Marcotte Stamer, P.C.; Vice Chair, American Bar Association International Section Life Sciences & Health Committee and Tort & Insurance Practice Section Medicine & Law Committee

Sean Terry, Chief Operating Officer, Centurion American Development Group; Mayor, City of Celina, Texas; past president of the North Texas Mayors Association

TOUR PANDEMIC MANAGEMENT RESOURCES IN VIRTUAL EXHIBIT HALL

Along with this valuable opportunity to participate in the Summit, participants also can tour the Summit’s Virtual Event Hall of information and exhibits collected as resources for helping to cope with COVID-19 and prepare for future pandemic threats.

The Summit has been organized through a collaboration of business, community and government leaders, who are volunteering their time and resources to share information and discussions they hope will support the continued responsible and safe reopening and continued resumption of operations and life in Texas and across the Nation despite the continued COVID-19 or other pandemic outbreaks. The Solutions Law Press, Inc. is proud to support this effort as part of its PROJECT COPE: Coalition on Patient Empowerment initiatives.

Join the Summit during the live broadcast or in replay at http://www.pandemicresourcegroup.com/pandemic/reopen-texas-summit!

Leave a Comment » | Uncategorized | Tagged: Allied Health, Assisted Living, college, COVID-19, Doctor, Health Care, Hospital, long term ccare, nursing home, Pandemic, Physician, rehabilitation, School | Permalink
Posted by Cynthia Marcotte Stamer

Year-End $3 Million HIPAA Settlement Pushes 2018 OCR HIPAA Recoveries Over $28 Million; Act Promptly To Strengthen Compliance & Share Ideas For Simplification

February 7, 2019

Health care providers, health plans, health care clearinghouse and their business associates (“Covered Entities”) should reconfirm the adequacy of their organization’s Health Insurance Portability and Accountability Act (“HIPAA”) compliance in light the U.S Department of Health and Human Services Office of Civil Rights (“OCR”) February 7, 2019 announcement that OCR reached a 2018 year-end $3 Million Resolution Agreement with California-based Cottage Health that pushed OCR’s already record-setting 2018 enforcement HIPAA recoveries to more than $28.7 million in a year already distinguished by OCR’s record-setting $16 million resolution payment collection from Anthem.

Along with acting to ensure their own organization’s ability to defend their HIPAA compliance, Covered Entities and their leaders also should take advantage of the opportunity to provide input to OCR on opportunities for simplifying and improving OCR’s HIPAA regulations and enforcement by submitting relevant comments by February 12, 2019 in response to a Request for Information published by OCR in December that invites public input.

Learn more de

2018 Cottage Health Resolution Agreement

According to OCR’s February 7, 2019 announcement, Cottage Health agreed in OCR’s final settlement of 2017 to pay OCR $3 million and to adopt a substantial corrective action plan to settle charges of HIPAA violations resulting from OCR’s investigations into two HIPAA Breach notifications Cottage Health filed regarding breaches of unsecured electronic protected health information (ePHI) affecting over 62,500 individuals.

A December 2, 2013 breach notification that the removal of electronic security protections by a Cottage Health contractor rendered ePHI such as patient names, addresses, dates of birth, diagnoses/conditions, lab results and other treatment information of 33,349 individuals on a Cottage Health server accessible for download without a username or password from the internet to anyone outside Cottage Health. In an update to its original report filed on July 2, 2014, Cottage Health increased the number of individuals affected by this breach to 50,917. OCR’s investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI without requiring a username and password. As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results and other treatment information were available to anyone with access to Cottage Health’s server.
A December 1, 2015, that the misconfiguration of a server following an IT response to a troubleshooting ticket, exposed unsecured ePHI including patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information of 11,608 individuals over the internet.

Based upon its investigation into the two breach reports, OCR concluded Cottage Health violated HIPAA by failing to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI; failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; failed to perform periodic technical and non-technical evaluations in response to environmental or operational changes affecting the security of ePHI; and failed to obtain a written business associate agreement with a contractor that maintained ePHI on its behalf.

To resolve its exposure to potentially must greater civil monetary sanctions that OCR might seek for such potential violations under HIPAA’s civil monetary sanction rules, Cottage Health entered into December, 2018 Resolution Agreement to pay the $3 million settlement and undertake what OCR characterizes as “a robust corrective action plan to comply with the HIPAA Rules.” Among other things, the corrective action plan requires Cottage Health to:

Conduct an enterprise-wide risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Cottage Health (“Risk Analysis”) that OCR views as satisfactory to meet the requirements of 45 CFR 164.308(a)(1)(ii)(A);
Develop and implement a risk management plan to address and mitigate any security risks and vulnerabilities identified in the Risk Analysis acceptable to OCR;
Implement a process for regularly evaluating environmental and operational changes that affect the security of Cottage Health’s ePHI;
Develop, maintain, and revise, as necessary, written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information under 45 C.F.R. Part 160 and Subparts A, C, and E of Part 164 (the “Privacy Rule” and “Security Rule”).
Distribute to and conduct training on the HIPAA policies and procedures from all existing and new members of the Cottage Health workforce with access to PHI. Additionally, Cottage Health require all workforce members that have access to PHI to certify their receipt of, understanding and commitment to comply with the HIPAA Policies before allowing access to PHI and must deny access to PHI to any workforce member that has not provided the required certification.
Submit to ongoing notification and reporting requirements to keep OCR informed about its compliance efforts.

2018 Record Setting HIPAA Enforcement Year

The final Resolution Agreement negotiated by OCR in 2018, the $3 million Cottage Health Resolution Agreement signed on December 11, 2018 added to an already record-setting year of HIPAA enforcement recoveries by OCR. In addition to recovering the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc. OCR’s recovery of the following HIPAA settlements and fines totaling nearly $28.7 million surpassed its previous 2016 record of $23.5 million by 22 percent.

Date	Name	Amount
Jan. 2018	Filefax, Inc (settlement)	$ 100,000
Jan. 2018	Fresenius Medical Care North America (settlement)	$ 3,500,000
June 2018	MD Anderson (judgment)	$ 4,348,000
Aug. 2018	Boston Medical Center (settlement)	$ 100,000
Sep. 2018	Brigham and Women’s Hospital (settlement)	$ 384,000
Sep. 2018	Massachusetts General Hospital (settlement)	$ 515,000
Sep. 2018	Advanced Care Hospitalists (settlement)	$ 500,000
Oct. 2018	Allergy Associates of Hartford (settlement)	$ 125,000
Oct. 2018	Anthem, Inc (settlement)	$ 16,000,000
Nov. 2018	Pagosa Springs (settlement)	$ 111,400
Dec. 2018	Cottage Health (settlement)	$ 3,000,000
Total (settlements and judgment)		$ 28,683,400

Aside from the previously discussed Cottage Health Resolution Agreement OCR announced on February 7, 2019, these OCR 2018 enforcement recoveries included:

FileFax Resolution Agreement. In January 2018, OCR settled for $100,000 with Filefax, Inc., a medical records maintenance, storage, and delivery services provider. OCR’s investigation found that Filefax impermissibly disclosed protected health information (PHI) by leaving the PHI in an unlocked truck in the Filefax parking lot, or by granting permission to an unauthorized person to remove the PHI from Filefax, and leaving the PHI unsecured outside the Filefax facility.
Fresenius Medical Care North America Resolution Agreement. In January 2018, OCR also settled for $3.5 million with Fresenius Medical Care North America (FMCNA), a provider of products and services for people with chronic kidney failure. FMCNA filed five breach reports for separate incidents occurring between February 23, 2012 and July 18, 2012, implicating the electronic protected health information (ePHI) of five FMCNA owned covered entities. OCR’s investigation revealed that FMCNA failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI. Additional potential violations included failure to implement policies and procedures and failure to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances.
MD Anderson ALJ Ruling. In June 2018, an HHS Administrative Law Judge ruled in favor of OCR and required The University of Texas MD Anderson Cancer Center (MD Anderson), a Texas cancer center, to pay $4.3 million in civil money penalties for HIPAA violations. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted ePHI of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going back to 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to encrypt ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. This matter is under appeal with the HHS Departmental Appeals Board.
MMC/BWH/MGH Resolution Agreements. In September 2018, OCR announced that it has reached separate settlements totaling $999,000, with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising the privacy of patients’ PHI by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients.
ACH Resolution Agreement. In September 2018, OCR also settled with Advanced Care Hospitalists (ACH), a contractor physician group, for $500,000. ACH filed a breach report confirming that ACH patient information was viewable on a medical billing services’ website. OCR’s investigation revealed that ACH never had a business associate agreement with the individual providing medical billing services to ACH, and failed to adopt any policy requiring business associate agreements until April 2014. Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014.
Allergy Associates Resolution Agreement. In October 2018, OCR settled with Allergy Associates, a health care practice that specializes in treating individuals with allergies, for $125,000. In February 2015, a patient of Allergy Associates contacted a local television station to speak about a dispute that had occurred between the patient and an Allergy Associates’ doctor. OCR’s investigation found that the reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s PHI to the reporter.
Anthem Resolution Agreement. In October 2018, Anthem, Inc. also paid $16 million to OCR and agreed to take substantial corrective action to settle potential violations of the HIPAA Rules after a series of cyberattacks led to the largest U.S. health data breach in history. Anthem filed a breach report after discovering cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
Pegosa Springs Medical Center. In November 2018, Pagosa Springs Medical Center (PSMC), a critical access hospital, paid $111,400 to OCR to resolve potential violations concerning a former PSMC employee that continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ ePHI, after separation of employment. OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a business associate agreement in place.

These 2018 Resolution Agreements reaffirm the growing risks that Covered Entities and their business associates run by failing to take adequate steps to prevent and respond to breaches of ePHI and otherwise to maintain their compliance with HIPAA. Covered entities and business associates and their leaders should recognize and respond to these growing risks by reevaluating and strengthening their HIPAA compliance and risk management efforts to minimize the likelihood of violations and enhance their ability to mitigate potential liability that can result from breaches of HIPAA by responding efficiently and effectively.

Other Regulatory & Enforcement Developments

In addition to reaffirming their ongoing compliance with the longstanding requirements of HIPAA and other related federal and state laws, Covered Entities also should use care to carefully monitor and respond to new regulatory and other developments that might create new responsibilities or new opportunities to simplify their HIPAA compliance. In this respect, Covered Entities should take note of the 2018 and ongoing efforts by OCR to develop and publish new rules and other guidance intended to help health care providers and other Covered Entities, patients and caregivers and others understand their rights and responsibilities when dealing with protected health information in relation to patients afflicted with substance abuse and mental illness. Undertaken as part of the Trump Administration’s broader effort to combat opiate and other substance abuse within the United States, OCR in October published a package of guidance on How HIPAA Allows Doctors To Respond To The Opioid Crisis. Covered Entities and others concerned with the management of patients afflicted with substance abuse and mental illness should evaluate this guidance to understand and tailor their practices to respond to OCR’s perspectives of how HIPAA impacts the use, access and disclosure of protected health information as part of these efforts.

Covered Entities and others concerned about HIPAA compliance and interpretation also should carefully monitor and provide appropriate and timely input on developing HIPAA guidance that could impact their operations. In this regard, Covered Entities with ideas about opportunities for improving existing HIPAA guidance are encouraged to submit comments to OCR by February 12, 2019 in response to its Request for Information on improving care coordination and reducing the regulatory burdens of the HIPAA Rules published on December 12, 2018. In that RFI, OCR invites input from the public on how the HIPAA Privacy Rule, could be modified to:

Encourage information-sharing for treatment and care coordination;
Facilitate parental involvement in care;
Address the opioid crisis and serious mental illness;
Account for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act;
Change the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices; and/or
Otherwise simplify or improve the existing HIPAA rules.

As a part of these efforts, Covered Entities and other concerned parties also should anticipate that OCR will be focusing heavily in the upcoming year on the potential HIPAA privacy and security implications of efforts by its sister agency, the Office of the National Coordinator for Health Information Technology (“ONC”), to promote greater interoperability of electronic medical records discussed in ONC’s recent 2018 Report to Congress: Annual Update on the Adoption of a Nationwide System for the Electronic Use and Exchange of Health Information (“Report”).

Under the 21st Century Cures Act, Congress gave ONC authority to enhance innovation, scientific discovery, and expand the access and use of health information through provisions related to:

The development and use of upgraded health IT capabilities;
Transparent expectations for data sharing, including through open application programming interfaces (APIs); and
Improvement of the health IT end-user experience, including by reducing administrative burden.

These priorities seek to increase nationwide interoperability of health information and reduce clinician burden. The Report says increases in the adoption of health IT means most Americans receiving health care services now have their health data recorded electronically. However, this information is not always accessible across systems and by all end users—such as patients, health care providers, and payers—in the market in productive ways. While the Report states ONC intends to move forward to promote efforts to help ensure that electronic health information can be shared safely and securely where appropriate to improve the health and care of all Americans, these activities inherently will raise many HIPAA concerns and challenges. Covered Entities and others concerned with these activities will want to carefully monitor the concurrent activities of OCR and ONC as these efforts progress, both to help tailor their planning and compliance efforts to respond to the anticipated demand for greater interoperability as required by ONC and to help shape these rules by providing timely input as appropriate in response to these developments.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health and employee benefit, health care, human resources and other staffing and workforce arrangements, contracts, systems, and processes. As a continuous component of this work, Ms. Stamer has worked closely with these and other clients on the design, development, administration, defense, and breach and data recovery of health care, workforce, insurance and financial services, trade secret and other information technology, data and related process and systems development, policy and operations throughout her career.

Scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues.

Ms. Stamer’s clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors; managed care organizations, insurers, self-insured health plans and other payers and their management; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about contracting, credentialing and quality assurance, compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Author of works on Payer and Provider Contracting and many other managed care concerns, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

©2019. Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | 21st century cures act, Academic medicine, ADA, ASC, Consumer Driven Health Care, Controlled Substances, Corporate Compliance, Cyber crime, data breach, Direct Primary Care, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, ERISA, Evidence Based Medicine, FACTA, FDA, Federal Health Center, Genetic Information, GINA, Health Care, Health care coding, Health Care Finance, Health Care Provider, Health Care Quality, health care reimbursement, Health Insurance, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, home health, Hospice, Hospital, hospitals, Human Subjects Research, Indian Health, Inpatient Rehabilitation, Joint Commission, Laws, legal epidemiology, managed care, Meaningful Use, Medicaid, medical devices, Medical Licensure, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Health, Mental Heatlh, NIOSH, NIST, OCR, Opiates, Outpatient, participating provider, Physician, Prescription Drugs, Privacy, Prospective Payment, Provider contracting, public health, Public Policy, quality reporting, quality repoting, Reimbursement, research, Skilled Nursing Facility, Substance Abuse, Technology, Telemedicine, Veterans Health, Veterans Health Care, Wellness | Tagged: Health Care, Health IT, Medicare, ONC, Physician | Permalink
Posted by Cynthia Marcotte Stamer

ONC Report Signals New Interoperability Demands Coming

January 8, 2019

Interoperability will be a key priority for the Office of the National Coordinator for Health Information Technology (“ONC”) going forward.

That’s the message in the just released 2018 Report to Congress: Annual Update on the Adoption of a Nationwide System for the Electronic Use and Exchange of Health Information (“Report”).

The plan to promote interoperability raises new business and compliance planning opportunities for health care providers, health insurers and other payers, health data and information technology (IT) providers and others.

The Report describes barriers, actions taken, and recommendations as well as ONC’s path forward to implement the 21st Century Cures Act.

Under the 21st Century Cures Act, Congress gave HHS authority to enhance innovation, scientific discovery, and expand the access and use of health information through provisions related to:

The development and use of upgraded health IT capabilities;
Transparent expectations for data sharing, including through open application programming interfaces (APIs); and
Improvement of the health IT end user experience, including by reducing administrative burden.

These priorities seek to increase nationwide interoperability of health information and reduce clinician burden..

Current Status

The Report says increases in the adoption of health IT means most Americans receiving health care services now have their health data recorded electronically. However, this information is not always accessible across systems and by all end users—such as patients, health care providers, and payers—in the market in productive ways. For example:

Despite the individual right to access health information about themselves established by the HIPAA Privacy Rule, patients often lack access to their own health information, which hinders their ability to manage their health and shop for medical care at lower prices;

Health care providers often lack access to patient data at the point of care, particularly when multiple health care providers maintain different pieces of data, own different systems, or use health IT solutions purchased from different developers; and

Payers often lack access to clinical data on groups of covered individuals to assess the value of services provided to their customers.

The Report says these limitations create several problems, including:

Patients should be able to easily and securely access their medical data through their smartphones. Currently, patients electronically access their health information through patient portals that prevent them from easily pulling from multiple sources or health care providers. Patient access to their electronic health information also requires repeated use of logins and manual data updates.

For health care providers and payers, interoperable access and exchange of health records is focused on accessing one record at a time.
Payers cannot effectively represent their members if they lack computational visibility into which health care providers offer the highest quality care at the lowest cost. Without the capability to access multiple records across a population of patients, health care providers and payers will not benefit from the value of using modern computing solutions—such as machine learning and artificial intelligence—to inform care decisions and identify trends.
Payers and employer group health plans which purchase health care have little information on health outcomes. Often, health care providers and payers negotiate contracts based on the health care provider’s reputation rather than on the quality of care that health care provider offers to patients. Health care providers should instead compete based on the entire scope of the quality and value of care they provide, not on how exclusively they can craft their networks. Outcome data will allow payers to apply machine learning and artificial intelligence to have better insight into the value of the care they purchase.

Current Barriers

According to the Report, HHS heard from stakeholders over the past year that barriers to interoperable access to health information remain, including technical, financial, trust, and business practice barriers. These barriers impede the movement of health information to where it is needed across the care continuum. In addition, burden arising from quality reporting, documentation, administrative, and billing requirements that prescribe how health IT systems are designed also hamper the innovative usability of health IT.

Current and Upcoming Actions

The Report states HHS has many efforts to help ensure that electronic health information can be shared safely and securely where appropriate to improve the health and care of all Americans.

ONC also reports Federal agencies, states, and industry have taken steps to address technical, trust, and financial challenges to interoperable health information access, exchange, and use for patients, health care providers, and payers (including insurers). HHS aims to build on these successes through the ONC Health IT Certification Program, HHS rulemaking, health IT innovation projects, and health IT coordination.

In accordance with the Cures Act, HHS is actively leading and coordinating a number of key programs and projects. These include continued work to deter and penalize poor business practices and that HHS conducted multiple outreach efforts to engage the clinical community and health IT stakeholders to better understand these barriers, challenges, and health care provider burden.

Recommendations

The Report makes the following overarching recommendations for future actions HHS plans to support through its policies and that the health IT community as a whole can take to accelerate progress:

Focus on improving interoperability and upgrading technical capabilities of health IT, so patients can securely access, aggregate, and move their health information using their smartphones (or other devices) and health care providers can easily send, receive, and analyze patient data.

Increase transparency in data sharing practices and strengthen technical capabilities of health IT so payers can access population-level clinical data to promote economic transparency and operational efficiency to lower the cost of care and administrative costs.

Prioritize improving health IT and reducing documentation burden, time inefficiencies, and hassle for health care providers, so they can focus on their patients rather than their computers.

The Report also says interoperable access underpins HHS’s efforts to pursue a health care system where data are available when and where needed.

ONC intends to particularly focus on promoting open APIs. Open APIs are technology that allow one software program to access the services provided by another software program and can improve access and exchange of health information. ONC says APIs can:

Support patients’ ability to have more access to information electronically through, for example, smartphones and mobile applications. HHS applauds the emergence of patient-facing applications that allow patients to access, aggregate, and act on their health information; and

Allow payers to receive necessary and appropriate information on a group of members without having to access one record at a time.
Increase institutional accountability, support value- based care models, and lead to competitive medical care pricing that benefits patients.

The Report claims patients, health care providers, and payers with appropriate access to health information can use modern computing solutions to generate value from the data. Improved interoperability can strengthen market competition, result in greater quality, safety, and value for the healthcare system, and enable patients, health care providers, and payers to experience the benefits of health IT.

Prepare For Enhanced Operability Requirements

ONC’s plan to achieve greater interoperability presents new business and compliance planning opportunities and challenges for health care providers, health insurers and other payers, health data and information technology (IT) providers and others. Among other things, participants in the healthcare system and their suppliers will need to prepare to comply with new expectations and mandates for interoperability. Meeting these demands will require financial expenditures as well as present technological challenges.The increased availability and access to electronica medical records and information resulting from these changes also a can be expected to drive new challenges and demands. Among other things, businesses relying on control of health information or records to influence or control patience, reimbursement, or other business value need to reevaluate and adjust their business models accordingly.

Improve accessibility and interoperability also is likely to create new expectations and demands by patients, payers, other providers and perhaps most significantly for providers and payers, regulators. Participants in the system will need to understand these applications and prepare to both defend their business performance as well as their compliance taking into account these new demands.

Amid all of this, of course, providers, pears, and their business associates can anticipate continued if not enhanced demands for enhanced data security and privacy protections and accompanying enforcement of these standards.

As ONC move forward on its plans to enhance interoperability, all concerned stakeholders will want to monitor developments and provide thoughtful and timely input. The time to get started is now. ONC and it’s sister agency, the Office of Civil Rights currently are inviting public comments about how to achieve these and other health IT and privacy improvements. Those interested in providing input should make sure their comments are submitted by the applicable deadlines next month.

Read the full Report here and share your input by the specified deadlines.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health and employee benefit, health care, human resources and other staffing and workforce arrangements, contracts, systems, and processes. As a continuous component of this work, Ms. Stamer has worked closely with these and other clients on the design, development, administration, defense, and breach and data recovery of health care, workforce, insurance and financial services, trade secret and other information technology, data and related process and systems development, policy and operations throughout her career.

Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors; managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Physicians Pay $700,000 to Settle False Claims Act Violation Charges Arising from Financial Relationship with Drug Testing Lab

May 8, 2018

Three physicians are paying a total of $700,000 to settle Justice Department (DOJ) charges stemming from financial relationships with a drug testing lab. The settlement highlights the continuing need for providers to exercise care to avoid entering into financial arrangements with laboratories that DOJ, the Department of Health & Human Services Office of Inspector General (OIG) considers improper under federal health care fraud laws.

Dr. Robert Fetchero, D.O., Dr. Sridhar Pinnamaneni, M.D., and Dr. Thelma Green-Mack, M.D., separately agreed to settle allegations that they each received improper payments for referrals from Greensburg, Pennsylvania drug testing lab Universal Oral Fluid Laboratories, and caused false claims to be submitted to Medicare for drug testing services, United States Attorney Scott W. Brady announced yesterday.

The settlements announced resolve allegations that the settling physicians referred Medicare patients to Universal Oral Fluid Laboratories (“UOFL”) for drug testing services while engaged in a financial relationship with the lab. Specifically, UOFL paid the settling physicians to refer their patients to the lab for drug tests; UOFL then submitted claims to Medicare for the drug testing services from 2011 to 2014.

The settlements follow the earlier guilty plea on related charges of UOFL’s former medical director, Dr. John H. Johnson.

UOFL was owned and operated by William Hughes. The United States alleged that the financial arrangement between the settling physicians and UOFL violated the physician self-referral law, commonly known as the “Stark Law,” and the Anti-Kickback Statute, giving rise to liability under the False Claims Act. Pursuant to separately executed settlement agreements, Dr. Fetchero agreed to pay $200,000; Dr. Pinnamaneni agreed to pay $370,000; and Dr. Green-Mack agreed to pay $130,000.

The Stark Law forbids physicians from making referrals for certain designated health services payable by Medicare to an entity with which he or she (or an immediate family member) has a financial relationship, unless an exception applies. The Anti-Kickback Statute prohibits offering, paying, soliciting, or receiving remuneration to induce referrals of services covered by federal health care programs, such as Medicare. Violations of the Stark Law or Anti-Kickback Statute may give rise to civil liability for treble damages and penalties under the False Claims Act.

The settlements and underlying charges the resolve illustrate the risks that physicians and other providers run for participating in financial arrangements not structured to clearly meet applicable federal anti-kickback and STARK rules.

About the Author

Ms. Stamer’s legal, management, governmental affairs work and speaking and publications have focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As core components of this work, Ms. Stamer helps health industry, health plans and insurers, health IT, life sciences and other health industry clients manage regulatory, contractual and other compliance; vendors and suppliers; Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other private payer and other terms of participation, medical billing, reimbursement, claims administration and coordination, and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Her clients include public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

May 8, 2018

HHS Picks Hargan As Acting HHS Secretary

October 11, 2017

President Trump has appointed Eric D. Hargan Acting Secretary of the U.S. Department of Health and Human Services (HHS).

Hargan, who was just sworn into office as Deputy Secretary of HHS on Oct. 6, 2017, takes over the duties of former Secretary Dr. Tom Price, who recently resigned in response to criticism about his expenditures for charter flights.

Before joining HHS, Mr. Hargan was an attorney, most recently a shareholder in Greenberg Traurig’s Chicago office in the Health and FDA Business department, where he focused his practice on transactions, healthcare regulations and government relations. He represented investors, companies, and individuals in healthcare investments and issues across the entire sector.

From 2003 to 2007, Mr. Hargan served at HHS in a variety of capacities, ultimately holding the position of Acting Deputy Secretary. During his tenure at HHS, Mr. Hargan also served as the Department’s Regulatory Policy Officer, overseeing the development and approval of all HHS, CMS, and FDA regulations and significant guidances.

Prior to this role, he served HHS as Deputy General Counsel. More recently, he was tapped by Governor Bruce Rauner to serve during transition as lead co-chair for Gov. Rauner’s Healthcare and Human Services committee.

During his time in Illinois, Mr. Hargan taught at Loyola Law School in Chicago, focusing on administrative law and healthcare regulations. He was a member of the U.S. government team at the inaugural U.S.-China Strategic Economic Dialogue in Beijing in 2006-2007, worked with the State Department’s Bureau of Arms Control to advance biosecurity in developing nations, and initiated and led the HHS team that developed the first responses to international food safety and importation issues in 2007.

He received his B.A. cum laude from Harvard University, and his J.D. from Columbia University Law School, where he was Senior Editor of the Columbia Law Review. Mr. Hargan also received a Certificate in International Law from the Parker School of Foreign and Comparative Law at Columbia University.

Before returning to Washington, D.C., Mr. Hargan lived in the suburbs of Chicago with his wife, Emily, and their two sons.

About The Author

Ms. Stamer works with health industry and related businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management, disaster and other crisis preparedness and response, and other performance and operations management and compliance. Her experienced includes career long involvement in advising and defending health industry and other organizations about disaster and other crisis preparation, response and mitigation arising from natural and man-made disasters, government enforcement, financial distress, workplace emergencies and accidents, data breach and other cybersecurity and other events. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and publisher disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Leave a Comment » | Academic medicine, Affordable Care Act, Anti-KickBack, ASC, Centers For Disease Control, Childrens Health Insurance Program, Conditions of Participation, data breach, data security, DEA, Doctor, Electronic Medical Records, EMTALA, FDA, Federal Health Center, Federal Sentencing Guidelines, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Insurance Exchange, Health IT, Health Plan, Health Plans, healthcare, HHS, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Meaningful Use, Medicaid, Medical Privacy, Medical Records, Medicare, Medicare Advantage, Medicare Fee Schedule, Medicare Prescription Drug Program, Mental Health, Mental Heatlh, OCR, OIG, Outcomes Data, Outpatient, Peer Review, Pharmaceudical, Pharmacy, Physician, Preexisting Condition Insurance Plan, Prescription Drugs, Privacy, Prospective Payment, Psychiatric, public health, Public Policy, quality reporting, Reimbursement, Reproductive Rights, Rural Health Care, Skilled Nursing Facility, Stark, Substance Abuse, substance abuse treatment, Telemarketing, Telemedicine, Uncategorized, Wellness | Tagged: Affordable Care Act, controlled substance, drugs, false claims act, Health Care, Health Care Compliance, Health Care Fraud, Health Care Provider, Health Care Reimbursement, Health Plans, HEAT, HHS, HIPAA, Hospital, Medicaid, Medicare, OCR, pain management, pharmacist, pharmacy, Physician, Physicians, Privacy, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

CMS Proposes Cutbacks To Medicare Bundled Payment Program

August 15, 2017

A Centers for Medicare and Medicaid Services (CMS) proposed rule scheduled for publication in the August 18, 2017 Federal Register will propose to reduce the number of mandatory geographic areas for the joint bundled payment program and cancel the cardiac bundled payment program model for determining reimbursement of providers for care under Medicare as well as make other refinements to the bundled payment program scheduled to take effect in January.

Widely criticized by many providers including department of Health and Human Services Secretary Dr. Tom Price, the mandatory bundled payment program presently is scheduled to take effect in January, 2018 after multiple delays.

According to the advanced copy of the proposed rule released by CMS on August 15, 2017, the proposed rule will propose among other things the following changes to the bundled payment program:

Cancel the Episode Payment Models (EPMs) and Cardiac Rehabilitation (CR) incentive payment model and rescind the regulations governing these models;
Revise certain aspects of the Comprehensive Care for Joint Replacement (CJR) model, including: giving certain hospitals selected for participation in the CJR model a one-time option to choose whether to continue their participation in the model;
Make technical refinements and clarifications for certain payment, reconciliation and quality provisions; and
Increase the pool of eligible clinicians that qualify as affiliated practitioners under the Advanced Alternative Payment Model (APM) track.

Healthcare providers and others interested in the proposed changes should carefully review the proposed changes and provide feedback as soon as possible and no later than the October 17, 2017 deadline the proposed regulation sets for submitting comments.

About The Author

The author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.

An American Bar Foundation, American College of Employee Benefits Counsel, and Texas Bar Foundation Fellow, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer’s health industry experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management and a broad range of other legal and operational concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.

You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press Inc.™

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates, publications, training program, advocacy and other initiatives available here.

Go here to register to receive other Solutions Law Press, Inc. updates and announcements about other upcoming briefings, training or other programs, products, services, and activities or to learn more about Solutions Law Press, Inc., its publications, programs and training, PROJECT COPE: Coalition on Patient Empowerment community service and education projects, event management and other resources and services.

For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Anti-KickBack, billing, Clinical pathway, Conditions of Participation, Consumer Driven Health Care, Corporate Compliance, Doctor, Electronic Medical Records, Evidence Based Medicine, false claims act, Health Care, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, Health Plan, Health Plans, healthcare, Hospital, Inpatient Rehabilitation Facility, Medicare, Medicare Fee Schedule, OIG, Physician, Prospective Payment, Reimbursement, Uncategorized | Tagged: Affordable Care Act, bundled payment program, CMS, false claims act, Health Care, Health Care Compliance, Health Care Fraud, Health Care Policy, Health Care Provider, Health Care Reform, Health Care Reimbursement, HHS, Hospital, Hospitals, Medicaid, Medicare, OIG, physical therapy, Physician, Physicians, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

CMS Releases 2017 Provider Payment Program Hardship Exception Application

August 4, 2017

The Quality Payment Program Hardship Exception Application for the 2017 transition year now is available on the Quality Payment Program website.

MIPS eligible clinicians and groups may qualify for a reweighting of their Advancing Care Information performance category score to 0% of the final score, and can submit a hardship exception application, for one of the following specified reasons:

Insufficient internet connectivity
Extreme and uncontrollable circumstances
Lack of control over the availability of Certified EHR Technology (CEHRT).

Some MIPS eligible clinicians who are considered Special Status, will be automatically reweighted (or, exempted in the case of MIPS eligible clinicians participating in a MIPS APM), do not need to submit a Quality Payment Program Hardship Exception Application.
In addition to submitting an application via the Quality Payment Program website, clinicians also may contact the Quality Payment Program Service Center and work with a representative to verbally submit an application.

To submit an application, a physician or other applying clinician will need:

The Taxpayer Identification Number (TIN) for group applications or National Provider Identifier (NPI) for individual applications;
Contact information for the person working on behalf of the individual clinician or group, including first and last name, e-mail address, and telephone number; and
Selection of hardship exception category (listed above) and supplemental information.

Applicants for a hardship exception based on the Extreme and Uncontrollable Circumstance category, also must select one of the following and provide a start and end date of when the circumstance occurred:

Disaster (e.g., a natural disaster in which the CEHRT was damaged or destroyed);
Practice or hospital closure;
Severe financial distress (bankruptcy or debt restructuring);
EHR certification/vendor issues (CEHRT issues)

Once an application is submitted, CMS will send the applicant a confirmation email acknowledging receipt of the application and when it is pending, approved, or dismissed. Applications will be processed on a rolling basis.

Physician and other clinicians or practices interested in pursuing an exemption should act promptly.

About The Author

Cynthia Marcotte Stamer is a Martindale-Hubble “AV-Preeminent (Top 1%) rated practicing attorney and management consultant, health industry public policy advocate, widely published author and lecturer, recognized for her nearly 30 years’ of work on health industry and other privacy and data security and other health care, health benefit, health policy and regulatory affairs and other health industry legal and operational as a LexisNexis® Martindale-Hubbell® “LEGAL LEADER™ and “Top Rated Lawyer,” in Health Care Law and Labor and Employment Law; a D Magazine “Best Lawyers In Dallas” in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law,” a Fellow in the American Bar Foundation, the Texas Bar Foundation and the American College of Employee Benefit Counsel.

Technical advisor to the National Physicians Council for Healthcare Policy, Vice President of the North Texas Healthcare Professionals Association, American Bar Association (ABA) International Life Sciences Committee Vice Chair, Policy; Scribe for ABA JCEB annual agency meeting with OCR, Ms. Stamer is well-known for her extensive work and leadership throughout her career on healthcare and health policy, regulatory, operations and other industry topics. Her clients include public and private healthcare systems, hospitals and other healthcare facilities, health care providers, health insurers, health plans, employers, health and other technology and other vendors, communities and others.

In addition to representing and advising these organizations, she also speaks extensively and conducts training on health care and other privacy and data security and many other matters.

Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other health care and other professional and civic organizations. Through these and other involvements, she helps develop and build solutions, build consensus, garner funding and other resources, manage compliance and other operations, and take other actions to identify promote tangible improvements in health care and other policy and operational areas.

For additional information about Ms. Stamer, see here or contact Ms. Stamer directly by e-mail here or by telephone at (469) 767-8872. ©2017 Cynthia Marcotte Stamer. Limited, non-exclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.

Leave a Comment » | Academic medicine, Affordable Care Act, Conditions of Participation, E-Prescribing, Evidence Based Medicine, Health Care, Health care coding, Health Care Finance, Health Care Fraud, Health Care Provider, Health Care Quality, Health Care Reform, health care reimbursement, healthcare, Home Health, Hospice, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Meaningful Use, Medical Records, Medicare, Medicare Fee Schedule, OIG, Outcomes Data, Peer Review, quality reporting, Reimbursement, Rural Health Care, Skilled Nursing Facility, Uncategorized | Tagged: Affordable Care Act, CMS, Doctor, false claims act, Health Care, Health Care Compliance, Health Care Fraud, Health Care Policy, Health Care Provider, Health Care Reform, Health Care Reimbursement, HEAT, HHS, Hospital, Medical Board, Medicare, Medicare Part B, physical therapy, Physician, Physicians, PQRS, Reimbursement | Permalink
Posted by Cynthia Marcotte Stamer

Medical Clinic HIPAA Resolution Agreement Shows Need For Current Business Associate Agreements

April 24, 2017

Health care providers, health plans, health care clearinghouses and business associates must get and keep their business associate (BA) agreements (BAAs) in place, up- to-date, and readily available for inspection in accordance with the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule, 45 C.F.R. Part 160 and Subparts A and E of Part 164 (Privacy Rule). That’s the clear message physician practices and other health care providers, health plans, health care clearinghouses (“covered entities”) and their business associates should learn about Privacy Rule compliance from an April 17, 2017 HIPAA Resolution Agreement just announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) with the Center for Children’s Digestive Health (CCDH).

While the Resolution Agreement relates to breaches of the BAA requirements of a small pediatric practice, the Center for Children’s Digestive Health (CCDH), all health plans, health care providers and other covered entities and business associates should focus on the adequacy of their BAAs and their BAA recordkeeping. HIPAA compliance surveys reflect deficiencies with the BAA rules are common throughout the industry. These findings and the involvement of BAs in data breaches or other OCR enforcement activities suggest a high probability that many other covered entities and business associates may be sitting ducks for similar sanctions. See e.g., HIPAA Compliance Survey Churns Up Many Business Associate Problems (January 3, 2017).

The HIPAA Business Associate Agreement Requirements

OCR’s announcement of the CCDH Resolution Agreement is the latest in a growing series of HIPAA enforcement actions showing the growing risk covered entities and their business associates face for failing to take appropriate steps to comply with the BAA and other Privacy Rule requirements of HIPAA.

As compliance audits and surveys of covered entities and business associates suggest a high level of noncompliance with the business associate agreement requirements among covered entities and business associates, While the ever-growing list of Resolution Agreements and Civil Monetary Penalties announced by OCR cover a variety of categories of HIPAA violations, the CCDH Resolution Agreement highlights the importance of covered entities and their business associates ensuring that before the BA creates, accesses, receives, discloses, retains or destroys any PHI for the covered entity, a BAA meeting the Privacy Rule requirements is signed and retained for at least the six year period the Privacy Rule requires in a manner easily producible when and if OCR or another agency asks for a copy as part of an investigation or other compliance audit. See Privacy Rule §§ 164.502(e), 164.504(e), 164.532(d) and (e).

The Privacy Rule requires that covered entities and business associates enter into a written and signed business associate agreement that contains the elements specified in Privacy Rule § 164.504(e) before the business associate creates, uses, accesses or discloses PHI of the covered entity. Meanwhile, the Privacy Rule recordkeeping requirements require that covered entities and BAs maintain copies of these BAAs for a minimum of six years.

Violations of the Privacy Rule can carry stiff civil or even criminal penalties Pursuant to amendments to HIPAA enacted as part of the HITECH Act, civil penalties typically do not apply to violations punished under the criminal penalty rules of HIPAA set forth in Social Security Act , 42 U.S.C § 1320d-6 (Section 1177).

Under Section 1177, the criminal enforcement provisions of HIPAA authorize the Justice Department to prosecute a person who knowingly in violation of the Privacy Rule (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, punishable by the following criminal sanctions and penalties:

A fine of up to $50,000, imprisoned not more than 1 year, or both;
If the offense is committed under false pretenses, a fine of up to $100,000, imprisonment of not more than 5 years, or both; and
If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of up to $250,000, imprisoned not more than 10 years, or both.

In contrast, as amended by the HITECH Act, the civil enforcement provisions of HIPAA empower OCR to impose Civil Monetary Penalties on both covered entities and BAs for violations of any of the requirements of the Privacy or Security Rules. The penalty ranges for civil violations depends upon the circumstances associated with the violations and are subject to upward adjustment for inflation. As most recently adjusted here effective September 6, 2016, the following currently are the progressively increasing Civil Monetary Penalty tiers:

A minimum penalty of $100 and a maximum penalty of $50,000 per violation, for violations which the CE or BA “did not know, and by exercising reasonable diligence would not have known” about using “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances;”
A minimum penalty of $1,000 and a maximum penalty of $50,000 per violation, for violations for “reasonable cause” which do not rise to the level of “willful neglect” where “reasonable cause” means the “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the violated Privacy Rule requirement;”
A minimum penalty of $10,000 and a maximum penalty of $50,000 per violation, for violations attributed to “willful neglect,” defined as “the conscious, intentional failure or reckless indifference to the obligation to comply” with the requirement or prohibition; and
A minimum penalty of $50,000 and a maximum penalty of $1.5 million per violation, for violations attributed to “willful neglect” not remedied within 30 days of the date that the covered entity or BA knew or should have known of the violation.

For continuing violations such as failing to implement a required BAA, OCR can treat each day of noncompliance as a separate violation. However, sanctions under each of these tiers generally are subject to a maximum penalty of $1,500,000 for violations of identical requirements or prohibitions during a calendar year. For violations such as the failure to implement and maintain a required BAA where more than one covered entity bears responsibility for the violation, OCR an impose Civil Monetary Penalties against each culpable party. OCR considers a variety of mitigating and aggravating facts and circumstances when arriving at the amount of the penalty within each of these applicable tiers to impose.

While criminal enforcement of HIPAA remains relatively rare, a review of the OCR enforcement record in recent years makes clear that civil enforcement of HIPAA and the sanctions imposed is growing. See e.g., $400K HIPAA Settlement Shows Need To Conduct Timely & Appropriate Risk Assessments; $5.5M Memorial HIPAA Resolution Agreement Shows Need To Audit. For more examples, also see here.

CCDH Sanctions For Violation Of HIPAA Business Associate Agreement Rules

The CCDH Resolution Agreement arises from violations of this requirement that OCR says it discovered as a result of a compliance review conducted in response to an OCR investigation of a CCDH business associate, FileFax, Inc. According to OCR, OCR found from the compliance review of CCDH triggered by OCR’s investigation of FileFax that while CCDH began disclosing PHI to Filefax in 2003 and that Filefax stored records containing protected health information (PHI) for CCDH, neither CCDH nor Filefax could produce a signed Business Associate Agreement (BAA) covering their relationship for any period before October 12, 2015.

Based on the resulting investigation, OCR concluded:

CCDH failed to obtain a BAA providing written assurances from Filefax that it would appropriately safeguard the PHI in Filefax’s possession or control satisfactory assurances as required by Privacy Rule §164.502(e); and
Because CCDH failed to secure the required BAA, it violated the Privacy Rule by impermissibly disclosing the PHI of at least 10,728 individuals to Filefax when CCDH transferred the PHI to Filefax without obtaining the requisite BAA from Filefax (Covered Conduct).

In the Resolution Agreement, CCDH agrees to pay HHS $31,000.00 (Resolution Amount) and enter into and comply with a Corrective Action Plan (CAP) in return for OCR’s release of CCDH from liability for “any actions it may have against CCDH under the HIPAA Rules” for the Covered Conduct. The Resolution Agreement only settles the civil monetary penalty and other OCR enforcement liabilities of CCDH with respect to the Covered Conduct. Its provisions expressly state the Resolution Agreement does not affect any exposures of CCDH to CCDH to OCR civil monetary penalties or other enforcement for any HIPAA violations other than the Covered Conduct.

Perhaps even more noteworthy given the HITECH Act’s provisions coordinating the civil and criminal sanctions of HIPAA, while the Resolution Agreement provides no clear indication that the Justice Department might be considering criminally prosecuting CCDH or any other party in relation to the Covered Conduct, the Resolution Agreement also expressly states that its provisions do not affect CCDH’s potential exposure, if any, to criminal prosecution by the Justice Department for a criminal violation of the Privacy Rules under Section 1177 of the Social Security Act.

Implications For Covered Entities & Business Associates

Covered entities and their business associates should heed the CCDH Resolution Agreement as a strong message from OCR to ensure their organizations are complying with HIPAA’s BAA and other requirements. The Resolution Agreement makes clear that the starting point of this compliance effort must be obtaining and maintaining the requisite BAAs for each BA relationship.

To position their organizations to withstand potential investigation by OCR, covered entities and BAs should start by conducting a well-documented audit within the scope of attorney-client privilege both to verify that an appropriate, signed BAA is in place for each BA relationship as well as adequacy of processes for identifying business associate relationships, ensuring that signed BAAs are in effect before BAs access any PHI, and for investigating, reporting and resolving any breaches of the HIPAA Privacy or Security Rules that may arise in the course of operations.

Conducting this audit as soon as possible is particularly important in light of reported findings of widespread compliance concerns. See HIPAA Compliance Survey Churns Up Many Business Associate Problems (January 3, 2017). As the audit process could identify potential violations or other legally sensitive concerns, covered entities and business associates generally will want to arrange for this audit and evaluation to be conducted under the supervision of legal counsel experienced with HIPAA within or pursuant to processes structured with the assistance of legal counsel within the scope of attorney-client privilege.

Beyond confirming all necessary BAAs are in place, covered entities and business associates also generally will want to evaluate the adequacy of BAs’ processes and procedures for maintaining compliance with the Privacy and Security Rules as well as processes and procedures for responding to audits, investigations and complaints, reporting and addressing breaches of electronic and other PHI and other possible compliance concerns under HIPAA and other related laws. In many instances, parties may n wish to revise and strengthen existing BAAs to more specifically define these policies and procedures more specifically as well as indemnification, cyber or other liability coverage requirements and other contractual provisions for allocating potential costs and liabilities arising from breaches, audits, investigations and other expenses associated with the administration of these provisions.

About The Author

Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 29 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.

Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to manage and defend compliance, public policy, regulatory, staffing and other operations and risk management concerns. A core focus of this work includes work to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; dealings with JCHO and other accreditation and quality organizations; investigation and defense of private litigation and other federal and state health care industry investigations and enforcement; insurance or other liability management and allocation; process and product development; managed care, physician and other staffing, business associate and other contracting; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

In the course of this work, Ms. Stamer has accumulated extensive experience helping health industry clients manage workforce, medical staff, vendors and suppliers, medical billing, reimbursement, claims and other provider-payer relations, business partners, and their recruitment, performance, discipline, compliance, safety, compensation, benefits, and training, board, medical staff and other governance; compliance and internal controls; strategic planning, process and quality improvement; change management; assess, deter, investigate and address staffing, quality, compliance and other performance; meaningful use, EMR, HIPAA and other data security and breach and other health IT and data; crisis preparedness and response; internal, government and third-party reporting, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.

Author of leading works on HIPAA and other privacy and data security works and the scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with OCR, her experience includes extensive compliance, risk management and data breach and other crisis event investigation, response and remediation under HIPAA and other laws.

The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has worked closely with a diverse range of physicians, hospitals and healthcare systems, DME, Pharma, clinics, health care providers, managed care, insurance and other health care payers, quality assurance, credentialing, technical, research, public and private social and community organizations, and other health industry organizations and their management deal with governance; credentialing, patient relations and care; staffing, peer review, human resources and workforce performance management; outsourcing; internal controls and regulatory compliance; billing and reimbursement; physician, employment, vendor, managed care, government and other contracting; business transactions; grants; tax-exemption and not-for-profit; licensure and accreditation; vendor selection and management; privacy and data security; training; risk and change management; regulatory affairs and public policy and other concerns.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar, insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

In connection with this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.

Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved. For information about republication or other use, please contact Ms. Stamer here.

Leave a Comment » | Corporate Compliance, data breach, data security, DME, Doctor, drug treatment, E-Prescribing, Electronic Health Records, Federal Sentencing Guidelines, Health Care, Health Care Provider, Health Insurance Exchange, Health IT, Health Plan, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Medical Privacy, Medical Records, Mental Health, Pharmaceudical, Pharmacy, Psychiatric, Technology, Telemedicine, Uncategorized | Tagged: business associate, clinic, confidentiality, Health Care Provider, Health Plan, HIPAA, HITECH Act, Medical Privacy, Physician, Privacy, Privacy Rule | Permalink
Posted by Cynthia Marcotte Stamer

All Covered Entities Should Learn Lessons From Mississippi Medical Center’s $2.75 Million HIPAA Resolution Agreement

July 27, 2016

Health care providers, health plans, healthcare clearinghouses (covered entities) and their business associates should reevaluate the adequacy of their practices and procedures for the protection of electronic protected health information (ePHI) on or accessible through laptops or other mobile devices in light of the $2.75 million penalty and other schooling the Department of Health and Human Services Office for Civil Rights (OCR) just gave the University of Mississippi (UM) Medical Center (UMMC) documented in a July 7, 2016 Resolution Agreement and Corrective Action Plan (Resolution Agreement) resolving OCR charges of multiple violations of the privacy, security and breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA) OCR says it uncovered while investigating UMMC’s breach notification report to OCR of the loss a laptop containing 328 files containing the ePHI of an estimated 10,000 patients.

UMMC Report of Missing Laptop Leads To Multiple Charges & Resolution Agreement

Mississippi’s sole public academic health science center, UMMC provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the State as well as conducts medical education and research functions. Its designated health care component, UMMC, includes University Hospital, the site of the breach in this case, located on the main UMMC campus in Jackson.

The settlement agreed to by UMMC stems from charges resulting from an OCR investigation of UMMC triggered by a breach of unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals.

Like many prior resolution agreements previously announced by OCR, UMMC’s HIPAA woes came to light after a laptop went missing. OCR learned of the breach and opened its investigation in response to a March 21, 2013 notification UMMC filed with OCR. UMMC made the breach notification to comply with HIPAA’s Breach Notification Rule requirement that health care providers, health plans and healthcare clearinghouses (Covered Entities) timely notify affected individuals, OCR and others of breaches of unsecured ePHI.

UMMC’s breach notification disclosed that UMMC’s privacy officer had discovered a password-protected laptop containing ePHI of thousands of UMMC patients missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC additionally reported that based on its investigation, UMMC believed that the missing laptop likely was stolen by a visitor to the MICU who had inquired about borrowing one of the laptops.

After discovering the loss, UMMC disclosed the breach to local media and on its website and notified OCR of the breach but apparently did not individually notify the subjects of the missing ePHI.

In keeping with its announced policy of investigating all breach reports impacting 500 or more individuals, OCR opened an investigation into UMMC’s breach report. Based on this investigation, OCR concluded that while the laptop apparently was password protected, UMMC had breached the Security Rules because ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could use a generic username and password to access an active directory containing 67,000 files including 328 files containing the ePHI of an estimated 10,000 patients.

While OCR’s investigation confirmed that UMMC had implemented policies and procedures pursuant to the HIPAA Rules, OCR’s additionally found that the theft of the laptop that prompted UMMC’s breach report resulted from broad deficiencies in UMMC’s implementation and administration of these policies and its practices.

Based on these findings, OCR charged UMMC with the following HIPAA violations:

From the compliance date of the Security Rule, April 20, 2005, through the settlement date, UMMC violated 45 C.F.R. §164.308(a)(1)(i) by failing to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI it holds, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
From January 19, 2013, until March 1, 2014, UMMC violated 45 C.F.R. §164.310(c) by failing to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
From the compliance date of the Security Rule, April 20, 2005, to March 14, 2013, UM violated 45 C.F.R. § 164.312 (a)(2)(i) by failing to assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI including, for example, allowing workforce members to access ePHI on a shared department network drive through a generic account, preventing UMMC from tracking which specific users were accessing ePHI; and
While UMMC provided notification on UMMC’s website and in local media outlets following the discovery of the reported breach of unsecured ePHI,, UMMC violated the Breach Notification Rule by failing to notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

Finally, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet took no significant risk management activity until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.

To resolve these charges, UMMC agrees in the Resolution Agreement to pay OCR $2.75 million and implement a comprehensive compliance plan which among other things, requires UMMC to conduct a sweeping review and correct its HIPAA privacy, security and breach notification policies and their implementation and administration to comply with HIPAA as well as implement and administer detailed management and OCR oversight and reporting processes over the implementation and administration of these procedures.

Lessons For Other Covered Entities From UMMC Resolution Agreement

The UMMC charges and Resolution Agreement contains several key lessons for other covered entities and their business associates, which OCR’s July 21, 2016 announcement warns other covered entities and business associates to heed..

Certainly, the $2.75 million settlement amount reaffirms that covered entities and their business associates risk substantial liability for failing to properly assess and protect the security of ePHI in accordance with HIPAA’s Privacy and Security Rule.

Furthermore, the charges and Resolution Agreement also adds a new twist to OCR’s now well established to stiffly sanction covered entities and their business associates that fail appropriately assess and address risks to the security of their ePHI on or accessible from laptops or other mobile devices. Through previous resolution agreements and guidance, OCR has made clear that it interprets the HIPAA Security Rule as generally requiring that covered entities and business associates encrypt all laptops or other mobile devices containing ePHI. The UMMC charges and Resolution Agreement makes clear that the responsibility to protect ePHI on or accessible through laptops or other mobile devices does not end with encryption. Rather, the Resolution Agreement makes clear that covered entities and their business associates also must take appropriate, well-documented steps to monitor, assess, identify, and timely and effectively address other potential risks to the security of the ePHI.

The Resolution Agreement makes clear that these additional responsibilities include, but are not necessarily limited to ensuring that proper safeguards are implemented and enforced to secure access not only to the ePHI contained on the laptop as well as other data bases and systems containing ePHI accessible through the laptop. In this respect, the Resolution Agreement particularly highlights the need for covered entities and their business associates to assess risks and take appropriate steps:

To safeguard the physical security of laptops and other mobile devices;
To prevent the use of generic or other unsecure passwords to access ePHI on or accessible through the laptop or other mobile device;
To establish and administer appropriate, well-documented processes for assessing and addressing the adequacy of safeguards for and potential threats to the security of ePHI both initially and on an ongoing basis in a manner that meaningfully assesses the actual risks and effectiveness of safeguards against these risks, including those resulting from nonadherence to required safeguards and practices such as the sharing of passwords, changing systems or circumstances, and other developments that potentially threaten the adequacy of ePHI security.

Furthermore, OCR’s July 21, 2016 press release concerning the Resolution Agreement also sends a clear message to all covered entities and business associates that OCR views HIPAA as requiring organizations not only to adopt written policies and procedures that comply on paper or in theory with HIPAA, but also to take steps to monitor and maintain the effectiveness of their safeguard by continuously assessing and monitoring their HIPAA risks and acting as necessary to ensure that required safeguards of protected health information and ePHI and other HIPAA requirements are effectively implemented and administered in operation as well as form.

In OCR’s Press Release announcing the Resolution Agreement, OCR Director Jocelyn Samuels. Stated, “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.” She also warned “In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame.”

Additionally, the Resolution Agreement also illustrates need for covered entities and business associates to timely provide all individual and other notifications and otherwise fully comply with all requirements of the Breach Notification Rules.

Since the risk of a breach is ever-present even for Covered Entities and business associates exercising the highest degree of care to safeguard PHI and maintain compliance with HIPAA, Covered Entities and business associates are wise to take steps to position themselves to be able to demonstrate the adequacy of both their written policies and procedures and the effectiveness of their implementation and enforcement including ongoing documented practices for assessing, monitoring and addressing security risks and other compliance concerns as well as prepare to comply with the breach notification requirements in the event they experience their own breach of unsecured ePHI.

About The Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.

Ms. Stamer’s health industry experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Ms. Stamer also is known for her experience in HIPAA and other privacy and data security and breach concerns. The scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press Inc.™

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates like the following:

Go here to register to receive other Solutions Law Press, Inc. updates and announcements about other upcoming briefings, training or other programs, products, services, and activities or to learn more about Solutions Law Press, Inc., its publications, programs and training, PROJECT COPE: Coalition on Patient Empowerment community service and education projects, event management and other resources and services.

Leave a Comment » | Academic medicine, Ambulatory care, ASC, Childrens Health Insurance Program, Civil Rights, Corporate Compliance, data breach, data security, Disease Management, DME, Doctor, drug treatment, Durable Medical Equipment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, FACTA, Federal Health Center, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Insurance Exchange, Health IT, Health Plan, Health Plans, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Licensing, managed care, Medical Privacy, Medical Records, Mental Health, Mental Heatlh, OCR, Outpatient, Pharmacy, Physician, Prescription Drugs, Privacy, Psychiatric, Rural Health Care, substance abuse treatment, Technology, Telemedicine, Uncategorized, Union, Veterans Health, Veterans Health Care, Wellness | Tagged: Employers, Health Care, Health Care Provider, Health Plans, HIPAA, Hospital, Medicaid, OCR, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Provider Pays $750K To Settle HIPAA Business Associate Rule Breach Charges

April 21, 2016

Health Care Providers, Health Plans, Healthcare Clearing Houses & Business Associates Should Verify Plan’s HIPAA Business Associate Rule Compliance

Health care providers as providers and as health plan sponsors, health plans and their sponsors, health care clearinghouses and their business associates should reconfirm and ensure they can prove they have all required business associate agreements in place and otherwise properly are administering all policies, practices, safeguards and procedures for handling, using and disclosing electronic and other protected health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules (Privacy Rule) in light of the April 20, 2016 Department of Health & Human Services Office of Civil Rights (OCR) announcement of its latest resolution agreement settling charges against a health care provider for sharing protected health information with a business associate without first implementing the required business associate agreement.

OCR Charges Brought For Business Associate Agreement Violations

HIPAA’s Privacy Rules generally apply to “covered entities,” which under HIPAA are health plans and insurers, health care providers, health care clearinghouses (Covered Entities) and “business associates,” which are individuals or entities that perform services that aid the Covered Entity to perform its duties as a Covered Entity.

The Resolution Agreement and Corrective Action Plan (Resolution Agreement) with Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) announced by OCR on April 20th requires Raleigh Orthopaedic to pay $750,000 to settle charges OCR it violated the Privacy Rule by handing over protected health information of approximately 17,300 patients to a potential business partner without first executing a business associate agreement.

Raleigh Orthopaedic is a provider group practice that operates clinics and a surgery center in the Raleigh, North Carolina area. OCR initiated its investigation of Raleigh Orthopaedic after receiving a breach report on April 30, 2013. OCR’s investigation indicated that Raleigh Orthopaedic violated the Privacy Rules by releasing the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopaedic failed to execute a business associate agreement with this entity before turning over the x-rays and PHI.

OCR says this sharing of the x-ray files and other protected health information by Raleigh Orthopaedic violated the Privacy Rules.

Specifically, the Privacy Rules prohibit Covered Entities and their business associates from using, accessing and disclosing protected health information except as specifically permitted in the Privacy Rules. As part of these rules, the “Business Associate” requirements of the Privacy Rule prohibit Covered Entities from disclosing or allowing business associates to use, and business associates from receiving or using protected health information unless the parties first enter into a written business associate agreement that complies with the requirements of the Privacy Rules.

The Resolution Agreement settles OCR charges that Raleigh Orthopaedic violated this Business Associate Agreement requirement by sharing the x-rays and other protected health information with the service provider without first entering a business associate agreement. Under the Settlement Agreement, Raleigh Orthopaedic must pay a $750,000 payment, as well as revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the Covered Entity hires the business associate.

Although the Resolution Agreement only addresses charges OCR brought against the Covered Entity, Raleigh Orthopaedic, business associates need to keep in mind that both Covered Entities and business associates now are responsible for ensuring compliance with the business associate agreement requirements of the Privacy Rules since the Stimulus Bill amended HIPAA to make most provisions of the Privacy Rule directly applicable to business associates as well as Covered Entities.

Take Aways For Covered Entities & Their Business Associates

OCR’s announcement of the Resolution Agreement includes a strong message for other Covered Entities and business associates of the importance of taking seriously their responsibility under the Privacy Rule to ensure that the business associate agreement requirements of the Privacy Rule are met before business associates are allowed to receive, access or use protected health information. The announcement quotes Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as stating. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.” and “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.”

In light of the Business Associate Rule and Director Samuels’ comments, Covered Entities and business associates alike should review the adequacy of their documentation, policies and practices regarding dealings with service providers who are or could collect, receive or use electronic or other protected health information to propose or perform services in the capacity as a business associate. Certainly both Covered Entities and business associates to ensure that they possess and are able to produce if needed signed business associate agreements for each current business associate agreement as well as that appropriate policies, practices and procedures are in place to ensure that all required business associate agreements are implemented before any disclosure or use of protected health information to the business associate in the future. As part of these activities, both Covered Entities and business associates also should ensure their policies and practices appropriately provide for the retention of signed copies of all business associate agreements and other records, and the implementation of all other processes and procedures required to position the entity to be able to demonstrate it not only had policies requiring compliance, but appropriately implemented and administered those policies in accordance with the Privacy Rule.

When conducting this review, Covered Entities and business associates also generally should consider the advisability of also reviewing their business associate agreements and the adequacy of these arrangements in light of any other contractual confidentiality and or contractual rights and commitments, regulatory requirements and other operational and risk management concerns that impact or interrelate with the relationship between the business associate and the Covered Entity. It is important to ensure that appropriate steps are taken to evaluate and properly integrate the confidentiality and other commitments that the Privacy Rules mandate a business associate agreement include with audit, performance assessment, and other data access or disclosure, trade secrets, confidentiality, performance standards and guarantees, indemnity and other contractual obligations of other agreements that could impact or be impacted by the business associate agreements. Steps also should be taken to incorporate appropriate processes and procedures for ensuring that the Covered Entity and members of its workforce understand and consistently administer and document their use of appropriate processes to ensure that the business associate agreement and other requirements of the Privacy Rules are fulfilled. In the case of employer sponsored plans subject to the Employee Retirement Income Security Act of 1974, for instance, the selection and proper oversight of business associates and the management of plan data both are subject to the fiduciary responsibility rules of ERISA. Meanwhile, insurers, business associates and other plan vendors also generally should anticipate that beyond HIPAA, they also may be subject to data security, privacy and other mandates and exposures under state HIPAA-like rules for protected health information, as well as other obligations under insurance, data security, identity theft, breach, privacy and other state laws.

The process of evaluating the adequacy of current arrangement and considering the advisability of changes to tighten existing practices in many cases will result in the discovery and discussion of potentially sensitive information about the adequacy of current or past compliance with the Privacy Rules or other matters. For example, it is possible that in the course of review, parties may be unable to locate a signed business associate agreement governing a relationship that the Privacy Rules require be subject to a business associate agreement or in the course of review, information indicating breaches of protected health information or other Privacy Rule violations may have occurred. For this reason, most Covered Entities and their business associates will want to consider arranging for this review and analysis to be conducted within the scope of attorney-client privilege by or under the direction of qualified legal counsel with HIPAA experience that has entered into a business associate agreement with the Covered Entity or business associate.

About The Author

The author of this update,Cynthia Marcotte Stamer, is a noted Texas-based management lawyer and consultant, author, lecturer and policy advocate, recognized as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Tax: Erisa & Employee Benefits” and “Health Care” by D Magazine who works, writes and speaks extensively about HIPAA and other data privacy and security concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer’s legal and management consulting work throughout her career has focused on helping health industry, insurance and other organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer helps health industry and other organizations manage. Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. Well-known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

A Fellow in the American College of Employee Benefit Counsel, Ms. Stamer also brings to the table extensive knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Throughout her career, Ms. Stamer has advised these and other clients about health care, health plan, financial information, trade secret, privacy and other related compliance, data breach response and remediation and related compliance, risk management and related concerns. In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others.

Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns. She will share updates on HIPAA and other health care and data security concerns when returns to speak and chair at the 4th Annual Healthcare Privacy and Security Forum scheduled on May 20, 2016 in Los Angeles.

Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see here or contact Ms. Stamer directly by email cstamer@solutionslawyer.net or by telephone at (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:

Leave a Comment » | Doctor, Health Care, Health Care Provider, HIPAA, HIPAA Cyber Crime, Physician, Uncategorized | Tagged: Assisted Living, clinic, Data Breech, Data Security, Doctor, Health Care, Health Care Clinic, healthcare, HIPAA, Medical Privacy, Nurse, Office of Civil Rights, PHI, Physician, Privacy, Protected Health Information, Radiology, Skilled Nursing | Permalink
Posted by Cynthia Marcotte Stamer

New CDC Guidance on Opioid Prescribing

March 16, 2016

Responding to growing concern about widespread over prescription opioids, the Centers for Disease Control (CDC) has just released a new guidance and other tools the help guide physicians and other prescribers to determine when and how to prescribe opioids to patients.

The lengthy new guidance and support of tools for clinicians for use and prescribing of opioids for their patients available at http://www.cdc.gov/drugoverdose/prescribing/resources.html include:

Detailed new guidelines
“Clinical Tools,” which essentially consist of digested summaries of the detailed guidance and a quick reference checklists; and
“Factsheets” for patients.

As irregularities and other improprieties in the prescription and management of painkillers and other controlled substances are a leading basis of serious discipline of physicians and other clinicians, physicians and other clinicians, clinics and hospitals, pharmacies in pharmacists and other healthcare providers involved in prescribing or supervising patients using or contemplating the use of opioids will want to review and incorporate these guidelines into their practices as soon as possible.

Health plan and other pay yours and the pharmacy benefit manager’s responsible for overseeing and evaluating prescriptions also likely will benefit from reviewing these materials and incorporating them into their practices as soon as possible. Beyond the clinical use of these materials both health plans and healthcare providers likely will want to incorporate or use the fact sheets as communication tools for patients and their families to help educate patients about the proper use, misuse, risks and other relevant information about opioid prescriptions.

About The Author

Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served for several years as the scrivener for the ABA JCEB’s meeting with OCR for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Leave a Comment » | Controlled Substances, Uncategorized | Tagged: Controlled Substances, healthcare, HIPAA, Hospital, Medical Privacy, OCR, PHI, Physician, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

3/30 Webex Shares Latest On Security, Patient Access & Other HIPAA Developments

March 9, 2016

Solutions Law Press, Inc. ™ Invites You To A Special WebEx Briefing

HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments

Wednesday, March 30, 2016

1:00 P.M.-2:00 P.M. Eastern | 12:00 P.M.-1:00 P.M. Central 11:00 A.M-12:00 P.M. Mountain | 10:00 A.M-11:00 A.M. Pacific

Health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) face new imperatives to review and tighten their practices to ensure their practices comply with recently released guidance from the U.S. Department of Health & Human Services Office of Civil Rights (OCR)) emphasizing and clarifying the responsibilities of health care providers, health plans and the healthcare clearinghouses under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) to provide access to individuals that are the subject of protected health information or “PHI” to access or copies of their PHI in accordance with HIPAA’s rules and other recent HIPAA guidance and enforcement. With OCR’s recent release of added guidance and OCR enforcement statistics continuing to show HIPAA access rule violations among the most common HIPAA violations and OCR stepping up HIPAA enforcement, health care providers, health plans, healthcare clearinghouses can expect heightened scrutiny and enforcement of these requirements. Additionally, Covered Entities also should evaluate the adequacy of their other practices in light of other recent OCR guidance and enforcement actions.

Solutions Law Press, Inc.™ invites to catch up on the latest guidance on HIPAA’s requirements to provide access to patients to PHI by registering here to participate in the Solutions Law Press, Inc.™ “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” WebEx briefing from Cynthia Marcotte Stamer on Friday, March 18, 2016. During the Briefing, Ms. Stamer will provide participants with:

√ An update on OCR enforcement actiions and guidance over past 12 months

√ A detailed discussion of OCR’s new guidance about when Covered Entities must provide PHI access or copies to patients

√ Discuss rules and best practices for verifying the identity and credentials of an individual requesting PHI as a patient or personal representative of a patient

√ Share tips for contracting and dealing with business associates to facilitate administration of patient PHI access and security compliance activities

√ Share other practical considerations & best practices for compliance and risk management

√ Respond to participant questions on a time permitting basis

√ More

ABOUT THE SPEAKER

Recognized as “Legal Leader™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” and an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble, singled out as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine;, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her more than 28 years extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care, health plan and employee benefits, workforce and related regulatory and other compliance, performance management, risk management, product and process development, public policy and other key operational concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, the Co-Managing Member of Stamer Chadwick Soefje PLLC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance including extensive involvement with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others. Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on HIPAA and other privacy and data security risks and requirements as well as a broad range of other health, employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, Federal Trade Commission, HUD and Justice, as well as a state legislatures attorneys general, insurance, labor, worker’s compensation, and other agencies and regulators as well supports clients in defending litigation as lead strategy counsel, special counsel and as an expert witness.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served as the scrivener for the ABA JCEB’s meeting with OCR on HIPAA for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, serves on the faculty and planning committee of many workshops, seminars, and symposia, and on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

REGISTRATION & PROGRAM DETAILS

Registration Fee per course is $75.00 per person. Registration Fee Discounts available for groups of three or more participants from the same organization. Limited opportunities for participation. Registration accommodated on a first come basis. Completed registration and payment required via website registration 48 hours in advance of the program. No checks or cash accepted. Persons not registered with completed payment at least 48 hours in advance will only participate subject to availability and completed registration and payment. Payment only accepted via website PayPal. Register Here!

The Webex will be conducted over the internet. Participants will receive access code and instructions for sign on to participate in the Webex and/or dial in to participate in the program via telephone after processing of completed registration. Participants must have access to a computer with internet access and to telephone access to dial in via telephone to participate in the program. Solutions Law Press, Inc. is not responsible for any interruption or interference in participation resulting from limitations in the internet connectivity, computer, telephone or other equipment used by the participant to access and participate in the program.

ABOUT SOLUTIONS LAW PRESS, INC.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders better anticipate legal and operational issues impacting their organization’s performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives. Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs. For additional information about upcoming programs, to inquire about becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com. These programs, publications and other resources are provided only for general informational and educational purposes, the applicability of which to any particular circumstances may be impacted by legal changes, the specific facts and circumstances or other factors. Consequently, neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are not intended to or shall not be construed as establishing an attorney-client relationship, to constitute legal advice or a substitute for legal advice, or otherwise provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties that any participant or any other party can rely upon the information or any statements presented herein. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com. If you would prefer not to receive communications from Solutions Law Press, Inc. send an e-mail with “Solutions Law Press Unsubscribe” in the Subject to support@solutionslawyer.net. CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request. ©2016 Solutions Law Press, Inc.

Leave a Comment » | Academic medicine, Ambulatory care, ASC, Childrens Health Insurance Program, Clinical pathway, Conditions of Participation, Consumer Driven Health Care, data breach, data security, DEA, Disease Management, DME, Doctor, drug treatment, E-Prescribing, Electronic Health Records, Electronic Medical Records, Employee Benefits, Employer, FACTA, Federal Health Center, Federal Sentencing Guidelines, Genetic Information, GINA, Health Care, Health Care Provider, Health Care Quality, health care reimbursement, Health IT, Health Plan, Health Plans, HIPAA, HIPAA Cyber Crime, HITECH Act, Home Health, Hospice, Hospital, hospitals, Indian Health, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, managed care, Meaningful Use, Medicare Advantage, Mental Heatlh, OCR, Outpatient, Peer Review, Pharmacy, Physician, Privacy, Psychiatric, substance abuse treatment, Technology, Telemedicine, Wellness | Tagged: Breach Notification, Data Breech, Employer, GINA, Health Care, Health insurer, Health Plan, Health Plans, HIPAA, HIPAA Privacy, HIPAA Security, Hospital, Medical Privacy, PHI, Physician, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

Providers Get More Flexibility To Report Mental Health Patients To Gun Data Base Under New Privacy Rule

January 6, 2016

As part of the broader series of regulatory and executive actions that President Obama says the Obama Administration is taking in hopes of deterring gun violence, the Department of Health & Human Service Office of Civil Rights (“OCR”) is amending the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule applicable to health care providers, health plans, healthcare clearinghouses and their business associates (hereafter, collectively “Covered Entities”) to expressly permit some (not all) HIPAA-Covered Entities to disclose the identities of and certain other protected health information (PHI) of individuals with certain mental health conditions that would disqualify the individual from having a firearm under Federal law.

“The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS): Final Rule” (“Final Rule”) scheduled for official publication in the Federal Register today (January 6, 2016).

The adoption of the Final Rule provides more latitude for some by not all health care providers covered by HIPAA to report for listing on the NICS patients with gun ownership disqualifying mental health histories under the Brady Handgun Violence Prevention Act of 1993, Pub. L. 103-159 (Brady Gun Law), and its implementing regulations.

However, an analysis of a prepublication copy of the Final Rule available for review here reveals that while the Final Rule will provide greater latitude for some Covered Entities to disclose the identify and other specified PHI to the NICS data base, Covered Entities contemplating making such disclosures should conduct a careful, well-documented analysis of the proposed report to ensure that the disclosure fulfills each of the requirements to qualify as allowed by the Final Rule.

The NICS reporting and other requirements of the Brady Gun Law and the Gun Control Act of 1968, as amended (Title 18, United States Code, Chapter 44), certain individuals from owning, and licensed dealers from selling or otherwise transferring firearms to certain categories of individuals referred to as “prohibitors” including felons and, most relevant for the Final Rule, “mental health prohibitors.”

Under the Department of Justice (DOJ) regulations, a “mental health prohibitors” are defined as individuals who have been involuntarily committed to a mental institution, for reasons such as mental illness or drug use; found incompetent to stand trial or not guilty by reason of insanity; or otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or unable to manage their own affairs, as a result of marked subnormal intelligence, or mental illness, incompetency.

Prior to the adoption of the Final Rule, many health care providers have cited the HIPAA Privacy Rule as a deterrent to their reporting patients whose mental health history would qualify the patients as mental health prohibitors to the NICS. The HIPAA Privacy Rule, establishes federal protections to ensure the privacy and security of protected health information (PHI) and establishes an array of individual rights with respect to one’s own health information by providing that Covered Entities may only use and disclose individually identifiable health care information considered “protected health information” for purposes of HIPAA (“PHI” with the individual’s written authorization, or as otherwise expressly permitted or required by the HIPAA Privacy Rule.

As interpreted by OCR prior to its adoption of the Final Rule, a health care provider or other Covered Entity generally could not rely upon exceptions from the Privacy Rule for disclosures to law enforcement or for safety to exempt the report from HIPAA’s prohibitions against disclosure of PHI where the record of an involuntary commitment or mental health adjudication originated with a HIPAA covered entity, or the HIPAA covered entity is the State repository for such records. Rather, OCR interpreted the Privacy Rule as providing only three possible ways in which Covered Entities generally could report to the NICS (without the individual’s authorization):

The patient authorized the disclosure in accordance with the HIPAA Privacy Rule;
Where a State enacted a law that requires (and does not merely authorize) such reporting; or
Where no such state law exists, a HIPAA covered entity that performs both health care and non-health care functions (e.g., NICS reporting) could become a hybrid entity under HIPAA so that the Privacy Rule applies only to its health care functions and then report the prohibitor information through its non-HIPAA covered NICS reporting unit without restriction under the Privacy Rule.

OCR’s adoption of the Final Rule implements changes that it previously proposed in 2013 as part of a series of 23 executive actions President Obama proposed in 2013 aimed at curbing gun violence across the nation. OCR says its adoption of the Final Rule is an important step to improving public safety by better enabling the reporting of the identities of prohibited individuals to the background check system “while continuing to strongly protect individuals’ privacy interests.”

While preserving these options, the Final Rule expands the authority of health care providers and other Covered Entities to report a mental health prohibitor to the NICS data bank by creating a specific NICS reporting disclosure exception to the HIPAA Privacy Rule’s general prohibitions against disclosures of PHI without authorization in Privacy Rule § 164.512(k)(7).

Health care providers and other Covered Entities considering making NICS reports about the mental health history of individuals that qualifies as PHI should proceed with caution. The Final Rule only authorizes NICS disclosures of PHI for a small subset of HIPAA Covered Entities that either make the mental health determinations that disqualify individuals from having a firearm or are designated by their States to report this information to NICS. The rule does not apply to most treating providers.

Under the Final Rule, a Covered Entity may use or disclose PHI for purposes of reporting to the National Instant Criminal Background Check System the identity of an individual who is prohibited from possessing a firearm as a mental health prohibitor under 18 U.S.C. 922(g)(4), if the Covered Entity:

Is a State agency or other entity that is, or contains an entity that is either
- An entity designated by the State to report, or which collects information for purposes of reporting, on behalf of the State, to the National Instant Criminal Background Check System; or
- A court, board, commission, or other lawful authority that makes the commitment or adjudication that causes an individual to be a mental health prohibitor; and
Discloses the information only to:
- The National Instant Criminal Background Check System; or
- An entity designated by the State to report, or which collects information for purposes of reporting, on behalf of the State, to the National Instant Criminal Background Check System; and
Discloses only the limited demographic and certain other information needed for purposes of reporting to the National Instant Criminal Background Check System; and
Does not disclose diagnostic or clinical information for such purposes.

Health care providers contemplating making or the need to consider making NICS reports about persons with mental health treatment histories need to proceed cautiously as even following the adoption of the Final Rule, the health care provider should anticipate the need to manage a number of risks under HIPAA and otherwise. Obviously, since disclosure of PHI in a NICS report or otherwise exposes health care providers and other Covered Entities to civil penalties, criminal prosecution, licensing board or other disciplinary actions as well as a host of other adverse consequences, a health care provider or other Covered Entity contemplating making a NICS disclosure under the Final Rule or any other disclosure of PHI will want to ensure the all requirements to make the use or disclosure permitted under the Privacy Rule are met.

Beyond these HIPAA considerations, since the disclosures specifically relate to individuals suffering mental illness, health care providers or other Covered Entities also should take steps to mitigate their potential exposures to potential charges of disability discrimination which if not properly managed, could trigger civil sanctions by OCR under its disability discrimination rules, limitation or exclusion from Medicare or other federal program participation, law suits and other liabilities.

In addition, Covered Entities also will want to consider and manage the foreseeable challenges and exposures that could arise from the disclosure under medical malpractice, licensing board, ethics, confidentiality and other applicable federal and state laws and regulations

In light of these and other risks, health care providers or other Covered Entities contemplating making or facing the need to consider making a NICS report should consider, among other things engaging the assistance of qualified legal counsel experienced with HIPAA and these other matters to assist and advise them about:

Reviewing their existing policies and procedures in light of the Final Rule, as well as their state’s current policies regarding the permissibility or requirement to make NICS reports;
Updating their written privacy practices and notices of their privacy practices to allow the NICS report in accordance with the Final Rule
Ensuring that the updated privacy notices are distributed going forward to patients and posted on their websites, in their facilities as required to comply with the Privacy Rule;
Exercising care both to verify that all requirements of the Final Rule (or the other alternatives for allowing disclosure) are met and to preserve documentation of this analysis in the event of a future complaint or investigation;
Reviewing and adopting additional protocols to manage potential mental health disability discrimination exposures under federal and state disability or other discrimination and laws; and
Considering and implementing other processes to manage foreseeable malpractice, breach of medical confidentiality, licensing or ethical requirements or other risks that could result from such disclosures.

For More Information Or Assistance

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience representing and advising health industry clients and others on these and other regulatory, risk management, public policy and operations matters.

Recognized as a “Top Lawyer” and “Legal Leader” in Healthcare Law, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 28 years’ experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

Other Helpful Resources & Other Information.

We hope that this information is useful to you. If you found these updates of interest, you also be interested in other recent Solutions Law Press, Inc. training, articles and resources. You can see more articles from this Health Care Update electronic publication, the Coalition for Responsible Health Care Reform electronic publication, our electronic HR & Benefits Update and other publications like the following and get information about training and other resources at www.Solutionslawpress.com:

You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can access other recent updates and other informative publications and resources here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Brady Bill, Gun Control, HIPAA, Mental Health, Psychiatric, Second Amendment, Uncategorized | Tagged: Chemical Dependency, Gun Control, Health Care, Medical Confidentiality, Medical Privacy, Mental Health, Obama, Physician, Privacy, Protected Health Information, Psych, psychiatric | Permalink
Posted by Cynthia Marcotte Stamer

Use Free Cyber Security Awareness Month Resources To Boost HIPAA & Other Cyber Security Training & Skills

October 25, 2015

Halloween’s annual celebration of spooks and goblins peak is a perfect time to promote awareness and help American businesses and citizens build their skills to guard against the real and growing menace of identity thieves and other cybercriminals by getting involved with the 12^th annual National Cyber Security Awareness Month (NCSAM) in October, begin preparing to participate in the next annual “Data Privacy Day” on January 28, 2016 and joining in other activities highlighted through NCSAM and Data Privacy Day to help deter Cybercrime and identity theft threats. Even if your organization or family choose not to participate in any official or public way, checking out and using the many free resources provides an invaluable, free opportunity to raise your defenses against this rising menace.

Health care providers and organizations, health plans, and their business associates face special legal and ethical mandates to safeguard “protected health information” and other sensitive patient information under the Privacy & Security Rules of the Health Insurance Portability & Accountability Act (HIPAA), state health care, insurance, medical ethics and licensure, identity theft and other laws. Most health care organizations and providers are sensitive to the need to comply with these requirements as a result of the stiff civil and criminal sanctions associated with violation of these medical privacy and data security requirements and notoriety surrounding stiff sanctions imposed as part of their enforcement, effective operationalization and maintenance of compliance with these rules remains a continuous challenge and only covers a small part of any health care organization’s legal responsibilities and risks. Health care organizations not only must manage their health care specific obligations, but also a host of other concerns like those that apply to other organizations. Getting workforce members, vendors, patients and others to understand and practice good Cyber Security in all aspects of their personal and private lives is key to effective management of all of these risks and responsibilities.

With virtually every American business and citizen now connected to and using the Internet to conduct key personal and business transactions and the constant drive by government and business to digitize regular business transactions, no one agency, business or individual alone can truly know where and who has their sensitive data, much less reliably can defend this data against the identity and other theft and other cybercriminals lurking in the digital world’s virtual streets waiting to strike, then disappear in “Jack The Ripper” style into the darkness of the Internet. That’s why every American and American business in general – and health industry organizations and providers particularly – should take time to participate and urge others to Get Involved in the 12^th Annual NCSAM activities this month and use the supportive resources offered through that involvement throughout the year.

Celebrated annually in October, NCSAM was created to provide resources to help Americans stay safer and more secure online through public-private collaboration between the U.S. Department of Homeland Security and industry led by the National Cyber Security Alliance (NCSA). NCSAM and its associated activities outreach to consumers, small and medium-sized businesses, corporations, educational institutions and young people across the nation. NCSAM 2015 particularly focuses on the consumer and his/her needs regarding cybersecurity and safety continuing the overall message of STOP. THINK. CONNECT. Campaign founded in 2010 and its capstone concepts: “Keep a Clean Machine,” “Protect Your Personal Information,” “Connect with Care,” “Be Web Wise” and “Be a Good Online Citizen.” NCSAM seeks to remind Americans to incorporate “STOP. THINK. CONNECT.” into their online routines and offers resources to help individuals understand and put these principles into practice into their online routine at the home, the office and elsewhere.

Designed to be accessible and understandable by consumers, many business and government organizations may want to support and promote their Cyber Security employee and customer training and awareness efforts by participating annually in NCSAM in October, signing up your organization to Data Privacy Day Champion and/or participating in Data Privacy Day on January 28, 2016, or otherwise using and sharing tips, tools and other resources in the Privacy Library such as:

General Privacy & Cyber Security Awareness

Be A Good Citizen On Line
Protect All Devices
Practice Good Online Safety Habits With These Tips & Advice
Spam & Phishing
Hacked Accounts
Check Your Privacy Settings
Privacy Tips for Teens – A video with STOP. THINK. CONNECT. tips to help teens be privacy-savvy and manage their online reputation.
“Perceptions of Privacy Online and in the Digitally Connected World,” a summary of the results of a 2013-2014 data privacy study conducted by the National Cyber Security Alliance’s Privacy Messaging Development Committee.
Data is Permanent Too – STOP.THINK. is this TMI? A short video created by the Intel Corporation.
Why Privacy Matters – The first in the series of explainers from Zero Knowledge Privacy Foundation.
The Fine Print of Privacy – The second in the series of explainers from Zero Knowledge Privacy Foundation.
“The Right to Fail in Citizenville,” a blog by David Hoffman, Director of Security Policy and Global Privacy Officer, Intel (March, 2013).
The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value, an e-book by McAfee’s Michelle Finneran Dennedy, Jonathan Fox, and Thomas R. Finneran.

Keep a Clean Machine/Cookies & Behavioral Tracking

Malware & Botnets
A video about cookies and why they matter created by the Wall Street Journal.
Information about the Network Advertising Initiative (NAI) offering opt-out of online behavior advertising and provides factual information about online behavioral advertising, privacy, cookies.

Health Privacy

What is HIPAA and Why Should You Care? A Patient’s Guide to HIPAA (Health Insurance Portability and Accountability Act)
Medical Records Privacy from Privacy Rights Clearinghouse
Understanding Health Information Privacy by the U.S. Department of Health and Human Services

Identity Theft Prevention & Clean Up

Links to resources at fraud.org about how to spot a scam, file a complaint and learn about scams.
“ID Theft & Account Fraud – Prevention & Cleanup” a helpful resource provided by Consumer Action offered in numerous languages.
Fighting Back Against Identity Theft and other information for consumers on how to deter, detect and defend against identity theft
IRS resources about how to report phishing.

Mobile App Privacy & Security

“Your Apps Are Watching You,” an investigative report from the Wall Street Journal found popular iPhone and Android apps are collecting and transmitting information without users’ awareness or consent.
Net Safety Tips On The Go app for Android phones app provides quick, practical, friendly advice one tip at a time.
Tips to help protect your privacy when using a mobile device provided by the National Cyber Security Alliance.
Microsoft’s “Location & Privacy: Where are we headed?” and “What Does Your Online Reputation Say About You?”
Protect your personal information while using public Wi-Fi with this video.
10 travel tips for protecting your privacy from PUBLIC WiFi.
Online Services – Banking, Dating & General Guidelines
Don’t Upload Financial Data to Questionable Sources video created by the Intel Corporation
The Perils and Pitfalls of Online Dating: How to Protect Yourself from the Privacy Rights Clearinghouse.
The Google Privacy Channel on YouTube offers a number of short informative videos on privacy issues including: interest-based advertising; use of privacy settings in Google Latitude; advertising privacy; and how to protect your privacy on Google Chrome.

Student & Educational Privacy & Security

I want to each online safety for Grades K-2, Grades 3-5 Middle and High School Higher Education and CSave Volunteer Lesson Plans & Materials
The Protecting Privacy in Connected Learning toolkit is an in-depth, step-by-step guide to navigating the Family Education Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA) and related privacy issues.
Securing Your Home Network
The Family Educational Rights and Privacy Act, or FERPA, is the main federal law that deals with education privacy, but there are a host of other laws, best practices, and guidelines that are essential to understanding education privacy. FERPA|SHERPA aims to provide service providers, parents, school officials, and policymakers with easy access to those materials to help guide responsible uses of student’s data.
General guidance for parents provided by the department of education Family Educational Rights and Privacy Act (FERPA)
Student Privacy 101: FERPA for parents and students – Ever have questions about your rights regarding education records? This short video highlights the key points of the family education rights and privacy act (FERPA).

Other Resources

About the Author

Cynthia Marcotte Stamer is a practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick │Soefje PLLC, author, pubic speaker, management policy advocate and industry thought leader with more than years’ experience helping business and government organizations and their leaders manage. Ms. Stamer’s legal and management consulting work throughout her 28 plus year career has focused on helping organizations and their management understand and use the law and process to manage people, process, compliance, operations and risk including significant work in the prevention, investigation and remediation of data breach and other Cybercrime events.

Scribe responsible for leading the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) annual agency meeting with the Department of Health & Human Services Office of Civil Rights,Scribe responsible for leading the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) annual agency meeting with the Department of Health & Human Services Cynthia Marcotte Stamer’s practice has focused on advising and representing government and private technology, security, health care providers, health plans, health, schools and other educational organizations, insurance, banking and financial services, retail, employer and other organizations about privacy and data security compliance and risk management, breach and other investigations and enforcement, workforce and performance management and other risk management, compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

With data and technology use, protection and management imbedded in virtually every aspect of her client’s operations, data and other confidential information and systems use, protection, breach or other abuse investigation and response, enforcement and liability mitigation and defense and other Cybercrime and Cyber Security challenges are a continuous component of Ms. Stamer’s management work. Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce, data breach and Cybercrime, and other legal and operational crises large and small that arise in the course of operations. Ms. Stamer regularly helps clients design, administer and defend HIPAA, FACTA, data breach, identity theft and other risk management, compliance and other privacy, data security, confidential information and other data security, technology and management policies and practices affecting their operations. She also helps clients prevent, investigate and mitigate HIPAA, FACTA, PHI and other data breach hacking, identity theft, data breach, data loss or destruction, theft of trade secrets or other sensitive data, spoofing, industrial espionage, insider and other parties misuse of data or technology and other cybercrime and technology use concerns. Best-known for her extensive work helping health care, insurance and other highly regulated entities manage both general employment and management concerns and their highly complicated, industry specific corporate compliance, internal controls and risk management requirements, Ms. Stamer’s clients and experience also includes a broad range of other businesses. Her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external privacy and data security compliance, risk management, investigation and remediation, workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other legal and operational compliance, risk management, disaster preparedness and response, and liability defense and mitigation concerns arising out of organization’s operations.

Cindy also is widely recognized for her regulatory and public policy advocacy, publications, and public speaking on privacy and other compliance, risk management concerns. Among others, she is the author of “Privacy & Securities Standards-A Brief Nutshell,” “Privacy Invasions of Medical Care-An Emerging Perspective,” the E-Health Business and Transactional Law Chapter on Other Liability-Tort and Regulatory;” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA;” “Personal Identity Management Legal Demands and Technology Solutions;” “Tailoring A Records Management Plan And Process To Meet Your Legal And Operational Needs;” “Brokers & Insurers Identity Theft and Privacy Perils;” “HR’s Role In Personal Identity Theft & Cyber Crime Prevention;” “Protecting & Using Patient Data In Disease Management Opportunities, Liabilities And Prescriptions;” “Why Your Business Needs A Cybercrime Prevention and Compliance Program;” “Leveraging Your Enterprise Digital Identity Management Investments and Breaking though the Identity Management Buzz;” “When Your Employee’s Private Life Becomes Your Business;” “Healthcare Breaches: How to Respond” and hundreds of other works. Her insights on privacy, data security, and other matters have appeared in The Wall Street Journal, Business Insurance, the Dallas Morning News, Spencer Publications, and a host of other publications. She speaks and has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer works with businesses and government organizations and their management, employee benefit plans, schools, financial institutions, retail, hospitality, and other organizations deal with all aspects of these and other operations performance and compliance management. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer serves on the steering committee and as a faculty member of the Southern California ISSA-HIMMS Annual Security Summit and Chaired its 2015 3rd Annual Health Care Privacy Summit. Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see here, or the Stamer Chadwick Soefje PLLC website here. To contact Ms. Stamer, e-mail her at here or telephone (469) 767-8872.

About Solutions Law Press, Inc.™

Leave a Comment » | data security, Health Care, HIPAA Cyber Crime, Privacy | Tagged: Allied Health, Child Care, CSO, Cybercrime, Data Privacy, Data Privacy Day, Dentist, Doctor, Education, Educational Privacy, FACTA, FERPA, Finra, Health Care, Health Care Provider, Health IT, Health Plans, HIPAA, Hospitals, IPA, Medical Privacy, MSO, National Cyber Security Awareness Month, Nurse, physical therapy, Physician, Privacy Officer, School, Security Officer | Permalink
Posted by Cynthia Marcotte Stamer

Former National Quality Forum Committee Co-Chair Pays $1M, Excluded From Medicare In Fraud Settlement

March 5, 2015

A former National Quality Forum Committee Safe Practices Co-Chair landed in hot water under the False Claims Act for receiving compensation to use his influence and position to influence safety practices standards. Patient safety consultant Dr. Charles Denham, will pay $1 million to settle Justice Department allegations that he violated the False Claims Act by soliciting and accepting kickbacks while he co-chaired the Safe Practices Committee 2009 and 2010, according to a Justice Department announcement. The consulting company Health Care Concepts Inc. and the research organization Texas Medical Institute of Technology, operated by Denham both also are parties to the settlement.

With physicians and other health care organizations increasingly stepping up involvement in credentialing organizations and government advisory and other task forces, the enforcement action highlights another area where health care organizations and their people need to be careful to avoid violations of the False Claims Act or other laws. The settlement illustrates both the need for health care providers participating in HHS or other government advisory or other consulting roles to carefully evaluate their compensation and other arrangements for illegal remuneration or other prohibited elements in light of the continuing emphasis on and success of the Departments of Health & Human Services (HHS) and Justice in investigating and prosecuting arrangements they view as health care fraud under the Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative announced in 2009.

The charges against Denham resolved by the settlement stem from payments he and his companies received while he co-chaired the Safe Practices Committee. The Safe Practices Committee reviews, endorses and recommends standardized healthcare performance measures and practices. The settlement resolves allegations that, under agreements entered into in 2008, Denham received monthly payments from CareFusion Corporation while serving as the co-chair of the Safe Practices Committee. The Justice Department charged that Denham did not disclose to the committee, or any other individual or component of the National Quality Forum, that he was receiving payments from CareFusion while co-chairing the Committee and that Denham solicited and received these payments in exchange for influencing the recommendations of the National Quality Forum and for recommending, promoting and/or arranging for the purchase of CareFusion’s product, ChloraPrep, in violation of the Federal Anti-Kickback Statute. The United States alleged that this conduct caused the submission of false or fraudulent claims for ChloraPrep to federal health care programs.

In addition to paying $1 million to the United States, Dr. Denham and his two businesses will be excluded from Medicare, Medicaid and all federal health programs as part of the settlement.

The settlement highlights another example of the widespread success HHS, the Justice Department and other agencies participating in the HEAT initiative in using the False Claims Act against doctors, hospitals and other health care providers and organizations. Since January 2009, the Justice Department reports recovery of more than $23.8 billion through False Claims Act cases, with more than $15.2 billion of that amount recovered in cases involving fraud against federal health care programs. With HHS and the Justice Department claiming it recovers an average return of $8 for each $1 invested in health care fraud enforcement, the enforcement initiative is a key player in Federal efforts to control and reduce federal health care expenditures. The Obama Administration tout the success of these efforts to fuel Congressional and public support for continuation and expansion of these and other health care fraud enforcement efforts by HHS, the Justice Department and other agencies.

“Kickback schemes undermine the integrity of medical decisions, subvert the health marketplace and waste taxpayer dollars,” said Acting Assistant Attorney General Benjamin C. Mizer of the Justice Department’s Civil Division. “Doctors and other health care professionals who accept illegal inducements undermine the public’s trust in federal health care programs and will continue to be the focus of our enforcement efforts

Given the success of the programs and the HEAT agencies commitment to continuing their heavy-handed enforcement efforts, physicians, hospitals, skilled nursing, home health, durable medical equipment, and other health care providers and their leaders should stay ever diligent in their efforts to maintain compliance and other necessary defenses in anticipation of government scrutiny of their operations and activities. As part of these efforts, health care providers and organizations serving on advisory task forces or committees to government agencies or to credentialing or standard settling organizations that provide input on regulatory, standard setting or other activities need to use special care to ensure that any potential conflicts of interest are properly identified and disclosed and that the arrangements otherwise are structured and conducted to avoid violations of both the Anti-Kickback and other health care fraud laws and lobbying, conflict of interest and other laws, regulations and policies applicable to those activities.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here. You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

1 Comment | Academic medicine, Accreditation, ADA, ASC, Corporate Compliance, Disability Discrimination, Discrimination, DME, Doctor, Durable Medical Equipment, Employer, Employment, Employment law, Federal Health Center, Health Care, Health Care Provider, Home Health, Hospital, Hospital, Medicare, Medicare Advantage, Medicare Fee Schedule, Mental Heatlh, OCR, Physician, Rehabilitation Act, Veterans Health | Tagged: Anti-Kickback, Health Care Fraud, HEAT, HHS, Illegal Remuneration, Medicare Exclusion, National Quality Forum, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Use New State Ebola Protocol Table In Ebola Prevention & Management Planning

January 10, 2015

Health care providers, public health, school, and other community organizations, employers and other business leaders and others concerned about continuing Ebola and other pandemic prevention and containment should check out the new table of State Ebola Protocols Table compiled by the Centers for Disease Control (CDC) to help law and policy makers prepare for and respond to Ebola-related situations As part of continuing Federal efforts to make up for lost time on helping U.S. health care providers and communities prepare to prevent and respond to Ebola outbreak risks since the death of Liberian Ebola patient Thomas Eric Duncan at a in Dallas hospital last year alerted Americans to the risks and need for tighter preparations.

While the Dallas hospital that treated Mr. Duncan paid a settlement to his family and faced other widespread criticism and negative publicity, it then has become clear that misinformation provided by the patient, the original presentation of the patient with flu-like symptoms, the Obama Administration’s reluctance to adopt policies or communications that might interfere with its pro-immigration political agenda, the CDC’s failure to maintain and communicate the most current health care information to health care providers and communities, the CDC’s academic rather than operational emphasis, EMTALA mandates that forced the hospital to triage the patient, Medicaid and other insurance payment protocols that would have as medically unnecessary screening tests in the absence of more clear risk factors, federal licensing restrictions on the use of testing and a host of other limits and deficiencies in the Federal government’s preparations and response to Ebola and other communication risks, left Texas Health Resources and other U.S. health care providers, as well as U.S schools, public service agencies, employers and others at a great disadvantage in their efforts to deal with the outbreak. After denying the seriousness of Ebola risk concerns for several weeks, the diagnosis with Ebola of health care providers that treated Mr. Duncan and subsequent death and diagnosis resulted in the CDC and other federal and state agencies stepping up their Ebola preparation and guidelines. In keeping with this ongoing commitment, CDC says the CDC now will continue to update the State guidelines table as states continue to modify their Ebola response protocols.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related developments or other risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Leave a Comment » | Centers For Disease Control, Childrens Health Insurance Program, Disability Discrimination, DME, Doctor, Durable Medical Equipment, E-Prescribing, Employee Benefits, FDA, Health Care, Health Care Fraud, Health Care Provider, Health Care Quality, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Licensing, Medical Licensure, Medical Malpractice, OIG, Pandemic, Patient Empowerment, Pharmacy, Prescription Drugs, Privacy, Prospective Payment, Public Policy, Substance Abuse | Tagged: controlled substance, DEA, DOJ, Drug Testing, drugs, false claims act, Grants, Health Care, Health Care Compliance, Health Care Fraud, Health Plans, HEAT, HIPAA, licensure, Medicaid, Medical Board, pain management, pharmacist, pharmacy, physical therapy, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Unpatched and Unsupported Software Triggers Latest HIPAA Security Breach Resolution Agreement

December 11, 2014

Health care providers, health plans, health care clearinghouses (covered entities) and their business associates need to watch for and protect protected health information (PHI) against security exposures from unpatched or unsupported software and other weaknesses in their data security protections as part of their compliance obligations under the Security Rules of the Health Insurance Portability & Accountability Act (HIPAA).

The need to monitor and address data security threats associated with unpatched or unsupported software is demonstrated by the December 9, 2014 announcement by the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR) that Anchorage Community Mental Health Services (ACMHS) will pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program resulting from unpatched and unsupported software.

OCR opened an investigation against the five-facility, nonprofit provider of behavioral health care services to children, adults, and families in Anchorage, Alaska after receiving notification from ACMHS of a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of its information technology resources.

According to the OCR announcement of the ACMHS Resolution Agreement with OCR, OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but failed to follow these procedures. Moreover, OCR found that the reported security incident directly resulted of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” said OCR Director Jocelyn Samuels. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

In an effort to promote awareness of the need to assess and monitor the security of ePHI by covered entities and business associates, OCR continues to encourage covered entities and business associates to conduct regular documented evaluations of the adequacy of their ePHI safeguards and systems. To aid in this process, OCR and the Office of the National Coordinator for Health Information Technology have created a Security Rule Risk Assessment Tool available here to assist organizations that handle PHI in conducting a regular review of the administrative, physical and technical safeguards they have in place to protect the security of the information. Since OCR points to the Tool as a resource, covered entities and business associates should anticipate that their failure to identify and address any deficiencies in the areas identified by the tools as a potentially serious compliance issue. As a result, covered entities and business associates likely will want to take steps to ensure that their records include documented review of the adequacy of the security safeguards identified in the Tool. At the same time, covered entities and their business associates should not assume that the Tool adequately covers all potential HIPAA Security Rule exposures. OCR has made clear in this and other Resolution Agreements that HIPAA’s Security Rule requires ongoing monitoring and assessment of the adequacy of security in response to changes in software or system, emerging threats and other developments.

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Leave a Comment » | Centers For Disease Control, Childrens Health Insurance Program, Disability Discrimination, DME, Doctor, Durable Medical Equipment, E-Prescribing, Employee Benefits, FDA, Health Care, Health Care Fraud, Health Care Provider, Health Care Quality, Health Plan, Health Plans, HIPAA, HITECH Act, Hospital, Hospital, Inpatient Rehabilitation, Inpatient Rehabilitation Facility, Licensing, Medical Licensure, Medical Malpractice, OIG, Pandemic, Patient Empowerment, Pharmacy, Prescription Drugs, Privacy, Prospective Payment, Public Policy, Substance Abuse | Tagged: controlled substance, DEA, DOJ, Drug Testing, drugs, false claims act, Grants, Health Care, Health Care Compliance, Health Care Fraud, Health Plans, HEAT, HIPAA, licensure, Medicaid, Medical Board, pain management, pharmacist, pharmacy, physical therapy, Physician | Permalink
Posted by Cynthia Marcotte Stamer

More Information

About the Author

Share this:

For More Information Or Help

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information Or Help

About the Author

About Solutions Law Press, Inc.™

Share this:

Federal Statutes Protect “Right of Conscience” In Health Care

Church Amendment

Coats-Snow Amendment

Weldon Amendment.

Trump Policy Directives Drive New Risks By Changing Prior Religion & Other Discrimination Interpretations & Prioritizing New Rule Enforcement For Past, Current & Future Actions

New HIPAA Whistleblower Guidance

2 New Right Of Conscience Investigations Signal Growing Enforcement Risks

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

Evolving Application of Civil Rights Laws To DEI, Affirmative Action & Other Preferences

HHS & ED Merit-Based Decisions Policy Investigations & Enforcement

New Dear Colleague Letter Policy Clarification

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

HIPAA Risk Analysis Requirement & OCR Risk Analysis Initiative

Risk Analysis Longstanding HIPAA Requirement

OCR Raising Risk Analysis Expectations & Enforcement

NERAD Enforcement Risk Analysis Initiative Enforcement Action & Settlement

Guam Memorial Hospital Authority Risk Assessment Initiative & Ransomware Enforcement Action

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

Fulfill Current Risk Analysis Standards

Follow Proposed Rules & Enforcement Actions To Mitigate Risks

Use Appropriate Process To Audit, Update & Strengthen Risk Defensibility

For More Information

About the Author

About Solutions Law Press™

Share this:

HIPAA Important But Not Only Cyber Liability Risk For Health Industry Organizations

HNFS False Claims Act Cyber Liability Settlement

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information

About the Author

About Solutions Law Press, Inc.™

Share this:

For More Information

About the Author

About Solutions Laws Press, Inc.™

ABOUT THIS COMMUNICATION

Share this:

Resources Summarize Key Health Care Fraud Rules

Nguyen Health Care Fraud Plea For Billing Delegated Care As Physician Provided

Learn Basics From HHS Physician Health Care Fraud & Abuse Educational Resources

For Additional Information

About the Author

About Solutions Laws Press, Inc.™

IMPORTANT NOTICE

Share this:

For Additional Information

About the Author

About Solutions Laws Press, Inc.™