Fresenius Medical Care Pays $3.5 Million HIPAA Settlement

February 2, 2018

Fresenius Medical Care North America (FMCNA) is paying $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and adopting a comprehensive corrective action plan, under a voluntary resolution agreement that settles FMCNA exposures to OCR for violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules OCR asserts it found from an investigation it conducted into five separate HIPAA breach reports FMCNA filed in January 21, 2017.

Widespread publicity and fallout from data breaches involving Equifax, Blue Cross, the Internal Revenue Service and many other giant organizations have ramped up public awareness and government concern about health care and other data security.  The resulting pressure is adding additional fuel to the already substantial concern of OCR and other agencies about compliance with HIPAA and other data security and breach laws.  Like the $2.3 million HIPAA resolution agreement OCR announced with now bankrupt radiation oncology and cancer care provider 21st Century Oncology, Inc. (21CO) earlier this year,  see, e.g., $23M Penalty Small Part of 21st Century’s Data Breach Fallout; Offers Data Breach Lessons For Other Businesses, the growing list of OCR resolution agreements and other enforcement actions against FMCNA, 21CO and other covered entities and other legal and market fallout that covered entities and other organizations experience following the announcement of breaches or other security deficiencies make the case for why HIPAA-covered health care providers, health plans, health care clearinghouses and their business associates (covered entities) must prioritize HIPAA compliance and other medical and other data security protection, privacy and risk management a top priority in 2018.

HIPAA Privacy, Security & Breach Notification Rule Responsibilities & Risks

The Privacy Rule requires that health plans, health care providers, health care clearinghouses (covered entities) and their vendors that qualify as “business associates” under HIPAA comply with detailed requirements concerning the protection, use, access, destruction and disclosure of protected health information.  As part of these requirements, covered entities and their business associates must adopt, administer and enforce detailed policies and practices, assess, monitor and maintain the security of electronic protected health information (ePHI) and other protected health information, provide notices of privacy practices and breaches of “unsecured” ePHI, afford individuals that are the subject of protected health information certain rights and comply with other requirements as specified by the Privacy, Security and Breach Notification Rules.  In addition, covered entities and business associates also must enter into a written and signed business associate agreement that contains the elements specified in Privacy Rule § 164.504(e) before the business associate creates, uses, accesses or discloses PHI of the covered entity. Furthermore, the Privacy Rule includes extensive documentation and keeping requirements require that covered entities and BAs maintain copies of these BAAs for a minimum of six years and to provide that documentation to OCR upon demand.

Violations of the Privacy Rule can carry stiff civil or even criminal penalties.  Pursuant to amendments to HIPAA enacted as part of the HITECH Act, civil penalties typically do not apply to violations punished under the criminal penalty rules of HIPAA set forth in Social Security Act , 42 U.S.C § 1320d-6 (Section 1177).

Resolution Agreements like the $3.2 million FMCNA resolution agreement allow covered entities and business associates to resolve potentially substantially larger civil monetary penalty liabilities that OCR can impose under the civil enforcement provisions of HIPAA.  As amended by the HITECH Act, the civil enforcement provisions of HIPAA empower OCR to impose Civil Monetary Penalties on both covered entities and BAs for violations of any of the requirements of the Privacy or Security Rules.  The penalty ranges for civil violations depends upon the circumstances associated with the violations and are subject to upward adjustment for inflation.  As most recently adjusted here effective September 6, 2016,  the following currently are the progressively increasing Civil Monetary Penalty tiers:

  • A minimum penalty of $100 and a maximum penalty of $50,000 per violation, for violations which the CE or BA “did not know, and by exercising reasonable diligence would not have known” about using “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances;”
  • A minimum penalty of $1,000 and a maximum penalty of $50,000 per violation, for violations for “reasonable cause” which do not rise to the level of “willful neglect” where “reasonable cause” means the “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the violated Privacy Rule requirement;”
  • A minimum penalty of $10,000 and a maximum penalty of $50,000 per violation, for violations attributed to “willful neglect,” defined as “the conscious, intentional failure or reckless indifference to the obligation to comply” with the requirement or prohibition; and
  • A minimum penalty of $50,000 and a maximum penalty of $1.5 million per violation, for violations attributed to “willful neglect” not remedied within 30 days of the date that the covered entity or BA knew or should have known of the violation.

For continuing violations such as failing to implement a required BAA, OCR can treat each day  of noncompliance as a separate violation.  However, sanctions under each of these tiers generally are subject to a maximum penalty of $1,500,000 for violations of identical requirements or prohibitions during a calendar year.  For violations such as the failure to implement and maintain a required BAA where more than one covered entity bears responsibility for the violation, OCR an impose Civil Monetary Penalties against each culpable party. OCR considers a variety of mitigating and aggravating facts and circumstances when arriving at the amount of the penalty within each of these applicable tiers to impose.

In addition to these potential civil liability exposures, however, covered entities, their business associates and other individuals or organizations that wrongfully use, access or disclose electronic or other protected health information also can face civil liability under various circumstances.  The criminal enforcement provisions of HIPAA authorize the Justice Department to prosecute a person who knowingly in violation of the Privacy Rule (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, punishable by the following criminal sanctions and penalties:

  • A fine of up to $50,000, imprisoned not more than 1 year, or both;
  • If the offense is committed under false pretenses, a fine of up to $100,000, imprisonment of not more than 5 years, or both; and
  • If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of up to $250,000, imprisoned not more than 10 years, or both.

Because HIPAA Privacy Rule criminal violations are Class A Misdemeanors or felonies, Covered Entities and business associates should include HIPAA compliance in their Federal Sentencing Guideline Compliance Programs and practices and need to be concerned both about criminal exposure for their own direct violations, as well as imputed organizational liability for violations committed by their employees or agents under the Federal Sentencing Guidelines, particularly where their failure to implement or administer these required compliance policies and practices or failure to properly investigate or redress potential violations enables, perpetuates or covers up the criminal breach.

Fresenius Breach, Charges & Settlement Agreement Illustrate Civil Exposures

The FMCNA resolution agreement is another example of a growing list of resolution agreements various HIPAA covered entities have entered into to resolve their exposure to potentially greater liability should OCR assess civil monetary penalties under HIPAA’s civil sanction scheme.

The breach reports filed on January 21, 2017 reported five separate breach incidents occurring between February 23, 2012 and July 18, 2012 implicating the electronic protected health information (ePHI) of five separate FMCNA owned covered entities (FMCNA covered entities):  Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care Duval Facility in Jacksonville, Florida (FMC Duval Facility); Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care Magnolia Grove in Semmes, Alabama (FMC Magnolia Grove Facility); Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin in Maricopa, Arizona (FMC Ak-Chin Facility); Fresenius Vascular Care Augusta, LLC (FVC Augusta); and WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island Dialysis (FMC Blue Island Facility).

OCR concluded its investigation showed the breaches resulted because FMCNA failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.  OCR also concluded:

  • The FMCNA covered entities impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule.
  • FMC Ak-Chin failed to implement policies and procedures to address security incidents.
  • FMC Magnolia Grove failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility; and the movement of these items within the facility.
  • FMC Duval and FMC Blue Island failed to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances.
  • FMC Magnolia Grove and FVC Augusta failed to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances.

In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures.

 

HIPAA Enforcement A Growing Risk

Covered entities, their business associates and members of their workforce need to recognize that the FMCNA and other resolution agreements are part of a growing trend, rather than isolated incidents of enforcement.

While civil monetary penalty enforcement remains much more common than criminal prosecution, covered entities, their business associates and members of their workforce must understand that HIPAA enforcement and resulting liability is growing.

While Department of Justice federal criminal prosecutions and convictions under HIPAA remain relatively rare, they occur and are growing.  See e.g.,  Former Hospital Employee Sentenced for HIPAA Violations (Texas man sentenced to 18 months in federal prison for obtaining protected health information with the intent to use it for personal gain); Three Life Sentences Imposed On Man Following Convictions For Drug Trafficking, Kidnapping, Using Firearms and HIPAA Violations (drug king pin gets multiple 10 year consecutive prison terms for unauthorized access to private health information in violation of HIPAA; his health care worker friend sentenced for accessing electronic medical files and reporting information to him); Former Therapist Charged In HIPAA Case; Hefty Prison Sentence in ID Theft Case (former assisted living facility worker gets 37 months in prison after pleading guilty to wrongful disclosure of HIPAA protected information and other charges); Hefty Prison Sentence in ID Theft Case (former medical supply company owner sentenced to 12 years for HIPAA violations and fraud).  While the harshest sentences tend to be associated with health care fraud or other criminal conduct, lighter criminal sentences are imposed against defendants in other cases as well. See e.g., Sentencing In S.C. Medicaid Breach Case (former South Carolina state employee sentenced to three years’ probation, plus community service, for sending personal information about more than 228,000 Medicaid recipients to his personal e-mail account.); HIPAA Violation Leads To Prison Term (former UCLA Healthcare System surgeon gets four months in prison after admitting he illegally read private electronic medical records of celebrities and others.)

While criminal enforcement of HIPAA remains relatively rare and OCR to date only actually has assessed HIPAA civil monetary penalties against certain Covered Entities for violating HIPAA in a couple isolated instances, the growing list of multi-million dollar resolution payments that FMCNA and other covered entities caught violating HIPAA make clear that HIPAA enforcement is both meaningful and growing.   See e.g., Learn From Children’s New $3.2M+ HIPAA CMP For “Knowing” Violation of HIPAA Security Rules ($3.2 million Children’s Medical Center HIPAA Civil Monetary Penalty); 1st HIPAA Privacy Civil Penalty of $4.3 Million Signals CMS Serious About HIPAA Enforcement;  $400K HIPAA Settlement Shows Need To Conduct Timely & Appropriate Risk Assessments$5.5M Memorial HIPAA Resolution Agreement Shows Need To Audit.  For more examples, also see here.

Coming on the heels of  an already lengthy and growing list of OCR high dollar HIPAA enforcement actions, the FMCNA and other resolution agreements and civil monetary penalties these and other announced enforcement actions clearly reflect that OCR takes HIPAA compliance seriously and stands ready to impose substantial penalties when it finds violations in connection with breach notice investigations.  Viewed in the context of these and other enforcement actions, the FMCNA Resolution Agreement and others clearly reflect the time for complacency in HIPAA compliance and leniency in HIPAA HIPAA enforcement are passed.  Rather, these and other enforcement actions make clear why health care providers, health plans, healthcare clearinghouses and their business associates must make HIPAA compliance a priority now.

Covered entities and business associates also should recognize their potential responsibilities and risks for breaches or other improper conduct concerning patient or other sensitive personal financial information, trade secrets or other data under a wide range of laws beyond HIPAA and its state law equivalents.  As documented by the media coverage of the legal and business woes of Alteryx, eBay, Paypal owner TIO Networks, Uber, Equifax and a long list of other previously trusted prominent businesses have and continue to incur from data breaches within their organizations, health care or other covered entities experiencing breaches often also face FTC or other government investigations and enforcement under the Fair and Accurate Credit Transactions Act (FACTA) and other federal or state identity theft, data privacy and security, electronic crimes and other rules as well as business losses and disruptions; civil litigation from breach victims, shareholders and investors, and business partners as well as OCR, FTC, and state data security regulation enforcement.  Amid this growing concern, OCR has indicated that it intends to continue to diligently both seek to support and encourage voluntary compliance by covered entities and their business associates and  investigate and enforce HIPAA against HIPAA covered entities and their business associates that fail to adequately safeguard PHI and ePHI in accordance with HIPAA. In the face of these growing risks and liabilities, covered entities and their business leaders face a strong imperative to clean up and maintain their HIPAA compliance and other data security to minimize their exposure to similar consequences.

In light of these rises, leaders, investors, insurers, lenders and others involved with covered entities and their business associates should take steps to verify that the covered entities and their business associates not only maintain compliance with HIPAA, but also comply with data security, privacy and other information protection requirements arising under other laws, regulations, and contracts, as well as the practical business risks that typically follow the announcement of a breach.  Considering these risks, covered entities and their business associates must recognize and take meaningful, documented action to verify their existing compliance and ongoing oversight to ensure their organizations can demonstrate appropriate action to maintain appropriate practices, insurance and other safeguards to prevent, respond to and mitigate exposures in the event of a breach of protected health information or other sensitive data.

In response to these growing risks and concerns, covered entities and their business associates should ensure that they have conducted, and maintain and are ready to produce appropriate policies and procedures backed up by a well documented, up-to-date industry wide risk assessment of their organization’s susceptibility to breaches or other misuse of electronic or other protected health information.  The starting point of these efforts should be to adopt and enforce updated written policies, procedures, technical and physical safeguards, processes and training to prevent the improper use, access, destruction or disclosure of patient PHI.  Processes also should create, retain and be designed to cost effectively track, capture, and retain both all protected health information, its use, access, protection, destruction and disclosure, and the requisite supportive documentation supporting the appropriateness of those action to position the organization  cost-effectively and quickly to fulfill required accounting, reporting and other needs in the event of a data breach, audit, participant inquiry or other event.

As part of this process, covered entities and business associates should start by reviewing and updating their policies, HIPAA audits and assessments and other documentation and processes.  In doing so, they must use care to look outside the four corners of their Privacy Policies and core operating systems to ensure that their policies, practices, oversight and training address all protected health information within their operations on an entity wide basis. This entity-wide assessment should include both communications and requests for information normally addressed to the Privacy Officer as well as requests and communications that could arise in the course of media or other public relations, practice transition, workforce communication and other operations not typically under the direct oversight and management of the Privacy Officer.

In connection with these efforts, the enforcement actions make clear that Covered Entities and business associates should adopt, implement and monitor PHI privacy, and security on an entity wide basis.  These efforts should include both general policies, practices and procedures as well as specifically tailored policies, processes and training to protect PHI and preserve HIPAA compliance throughout their organization  as well as the business associate agreements and other processes to provide for HIPAA compliance with respect to protected health information created, used, accessed or disclosed to business associates or others not part of their direct workforce or operating outside the core boundaries of their facilities.

Covered entities and their business associates also must recognize and design their compliance efforts and documentation recognizing that HIPAA compliance is a living process, which require both constant diligence about changes in systems or other events that may require reevaluation or adjustments, whether from changes in software, systems or processes or external threats.

Because the cost of responding to and investigating breaches or other compliance concern can be quite burdensome, covered entities and their business associates also generally will want to pursue options to plan for and minimize potential expenses in the design and administration of their programs as well as to minimize and cover the potentially extraordinary costs of breach or other compliance investigation and results that commonly arise following a breach or other compliance event.  As a part of this planning, covered entities and their business associates also generally will want to add consideration of changes to federal tax rules on the deductibility of compliance penalty and other related compliance expenditures.

While the Internal Revenue Code traditionally has prohibited businesses and individuals from deducting penalties, fines and other expenditures arising from violations of federal or state laws under Section 162(f) of the Internal Revenue Code, Section 13306 of the Tax Cuts and Jobs Creation Act creates a new exception for amounts  (other than amounts paid or incurred any amount paid or incurred as reimbursement to the government or entity for the costs of any investigation or litigation) that a taxpayer establishes meet the following requirements:

  • Constitute restitution (including remediation of property) for damage or harm which was or may be caused by the violation of any law or the potential violation of any law, or
  • Are paid to come into compliance with any law which was violated or otherwise involved in the investigation or inquiry into a violation or potential violation of any law;
  • Are identified as restitution or as an amount paid to come into compliance with such law, as the case may be, in the court order or settlement agreement, and
  • In the case of any amount of restitution for failure to pay any tax imposed under this title in the same manner as if such amount were such tax, would have been allowed as a deduction under this chapter if it had been timely paid.

Because the true effect of these modifications will be impacted by implementing regulations and a number of other special conditions and rules may impact the deductibility of these payments and the reporting obligations attached to their payment, covered entities will want to consult with legal counsel about these rules and monitor their implementation to understand their potential implications on compliance expenditures and penalties.

About The Author

Repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, a Fellow in the American College of Employee Benefit Council, the American Bar Foundation and the Texas Bar Foundation and board certified in labor and employment law by the Texas Board of Legal Specialization, Cynthia Marcotte Stamer is a practicing attorney, management consultant, author, public policy advocate and lecturer widely known for health and managed care, employee benefits, insurance and financial services, data and technology and other management work, public policy leadership and advocacy, coaching, teachings, and publications. Nationally recognized for her work, experience, leadership and publications on HIPAA and other medical privacy and data use and security, FACTA, GLB, trade secrets and other privacy and data security concerns, Ms. Stamer has worked extensively with clients and the government on cybersecurity, technology and processes and other issues involved in the use and management of medical, insurance and other financial, workforce, trade secrets and other sensitive data and information throughout her career.  Scribe or co-scribe of the ABA Joint Committee on Employee Benefits Agency meeting with OCR since 2011 and author of a multitude of highly regarded publications on HIPAA and other health care, insurance, financial and other privacy and data security, Ms. Stamer is widely known for her extensive and leading edge experience, advising, representing, training and coaching health care providers, health plans, healthcare clearinghouses, business associates, their information technology and other solutions providers and vendors, and others on HIPAA and other privacy, data security and cybersecurity design, documentation, administration, audit and oversight, business associate and other data and technology contracting, breach investigation and response, and other related concerns including extensive involvement representing clients in dealings with OCR and other Health & Human Services, Federal Trade Commission, Department of Labor, Department of Treasury, state health, insurance and attorneys’ general, Congress and state legislators and other federal officials.

Ms. Stamer also has an extensive contributes her leadership and insights with other professionals, industry leaders and lawmakers.    Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.


Bankrupt Oncology Provider’s $2.3M Settlement Payment & Other HIPAA Breach Consequences Shows Why To Prioritize HIPAA Compliance In 2018

December 29, 2017

The just-announced agreement $2.3 million (Resolution Amount) settlement by now bankrupt radiation oncology and cancer care provider 21st Century Oncology, Inc. (21CO)  is paying to settle Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules violation charges and other continuing post-breach fallout that helped push 21CO to file for Chapter 11 bankruptcy protection demonstrates again why HIPAA-covered health care providers, health plans, health care clearinghouses and their business associates (covered entities) must make HIPAA compliance and risk management a high priority in 2018.

Distinctive as the first HIPAA resolution agreement requiring bankruptcy court approval  and for the bankruptcy court’s order including a direction to the covered entity’s cyber liability insurer to pay the Resolution Payment and other investigation defense expenses, the 21CO resolution agreement resolves potential civil monetary penalty exposures the Fort Myers, Florida based provider of cancer care services and radiation oncology could have faced from the Department of Health & Human Services Office of Civil Rights (OCR) charges it violated HIPAA’s Privacy and Security Rules arising from the hacking and misappropriation of records containing sensitive electronic protected health information (ePHI) of up to 2,213597 individuals.

When their own 2018 HIPAA or other compliance investigation activities or planning HIPAA compliance and risk management activities, covered entities and their business associates and their leaders should use 21CO’s painful post-breach lessons experience to minimize their own HIPAA breach exposures, as well as consider how amendments to Internal Revenue Code Section 162(f) might impact the tax deductibility of certain compliance expenditures.

 21CO HIPAA Breaches & Fallout

The OCR charges against 21CO arose from an OCR investigation commenced after the Federal Bureau of Investigation (FBI) notified 21CO on November 13, 2015 and a second time on December 13, 2015 than unauthorized third-party illegally obtained 21CO sensitive patient information and produced 21CO patient files purchased by a FBI informant.  As part of its internal investigation, 21CO hired a third party forensic auditing firm in November 2015. 21CO determined that the attacker may have accessed 21CO’s network SQL database as early as October 3, 2015, through Remote Desktop Protocol from an Exchange Server within 21CO’s network. 21CO determined that it is possible that 2,213,597 individuals may have been affected by the impermissible access to their names, social security numbers, physicians’ names, diagnoses, treatment and insurance information.

Although it knew of the breaches in November and December, 2015, 21CO delayed notifying patients of the data breach for more than three months after the FBI notified it of the breaches before it sent HIPAA or other breach notifications about the data breach to patients or notified investors in March, 2016. Its March 4, 2016 Securities and Exchange Commission 8-K on Data Security Incident (Breach 8-K) states 21CO delayed notification at the request of the FBI to avoid interfering in the criminal investigation of the breach.

When announcing the breach, 21CO provided all individuals affected by the breach with a free one-year subscription to the Experian ProtectMyID fraud protection service. At that time, 21CO said it had no evidence that any patient information actually had been misused.  However victims of the breach subsequently are claiming being victimized by a variety of scams since the breach in news reports and lawsuits about the breach.

At the time of the breach and its March 4, 2016 announcement of the breach, 21CO already was working to resolve other compliance issues.  On December 16, 2015, 21CO announced that a 21CO  subsidiary had agreed to pay $19.75 million to the United States and $528,000 in attorneys’ fees and costs and comply with a corporate integrity agreement related to a qui tam action in which it was accused of making false claims to Medicare and other federal health programs. See 21CO 8-K Re: Entry into a Material Definitive Agreement (December 22, 2015).  Among other things, the corporate integrity agreement required by that settlement required 21CO to appoint a compliance officer and take other steps to maintain compliance with federal health care laws.  In addition, five days after releasing the March 4, 2017 Breach 8-K, 21CO notified investors that its subsidiary, 21st Century Oncology, Inc. (“21C”), had agreed to pay $37.4 million to settle health care fraud law charges relating to billing and other protocols of certain staff in the utilization of state-of-the-art radiation dose calculation system used by radiation oncologists called GAMMA.  See 21CO 8-K Re: GAMMA Settlement March 9, 2016 ;  See also United States Settles False Claims Act Allegations Against 21st Century Oncology for $34.7 Million.

As the breeches impacted more than 500 individuals, 21CO’s HIPAA breaches were considered large breaches for purposes of the Breach Notification Rules.  It is the policy of OCR to investigate all large breach notifications filed under the HIPAA Breach Notification Rules.

Based on OCR’s subsequent investigation into these breaches, OCR found:

  • 21CO impermissibly disclosed certain PHI of 2,213,597 of its patients in violation of 45 C.F.R. § 164.502(a);
  • 21CO failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) held by 21CO in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A);
  • 21CO failed to implement certain security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306(A) in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B);
  •  21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports as required by 45 C.F.R. §164.308(a)(1)(ii)(D);
  • 21CO disclosed protected health information to a third-party vendors, acting as its business associates, without obtaining satisfactory assurances in the form of a written business associate agreement in violation of HIPAA’s business associate rule requirements under 45 C.F.R. §§ 164.502(e) and 164.308(b)(3).

The Resolution Agreement settles potential charges and exposures to potentially much higher civil monetary penalties that 21CO could have faced had OCR successfully prosecuted charges against 21CO for the breaches.   In return for OCR’s agreement not to further pursue charges or penalties relating to the breach investigation, the Resolution Agreement requires that 21CO pay OCR a $2.3 million Resolution Amount and implement to OCR’s satisfaction a corrective action plan that among other things requires that 21CO complete  the following corrective actions to the satisfaction of OCR:

  • To complete a risk analysis and risk management plan;
  • To revise its HIPAA policies and procedures regarding information system activity review to require the regular review of audit logs, access reports, and security incident tracking reports pursuant to 45 C.F.R. § 164.308(a)(1)(ii)(D);
  • To revise its policies and procedures regarding access establishment and modification and termination pursuant to 45 C.F.R. § 164.308(a)(4)(ii)(C) and 45 C.F.R. § 164.308(a)(3)(ii)(C) to include protocols for access to 21CO’s e-PHI by affiliated physicians, their practices, and their employees.
  • To distribute its policies to and educate its workforce on the updated and other HIPAA policies and procedures;
  • To provide OCR with an accounting of 21CO’s business associates that includes names of business associates, a description of services provided, a description of the business associate’s handling of 21CO’s PHI, the date services began and copies of the actual business associate agreement with each business associate; and
  • Submit an internal monitoring plan to OCR.

In addition to  the OCR investigation that lead to the new HIPAA resolution agreement announced by OCR on December 28, 2017, 21CO experienced other fallout following its March 4, 2016 public disclosure of the breach.  Not surprisingly, the breach notification led to a multitude of class-action civil lawsuits by breach victims and shareholders.  See, e.g., 16 Data Breach Class Action Lawsuits Filed Against 21st Century Oncology Consolidated; 21st Century Oncology data breach prompts multiple lawsuits.  Reports of spoofing and other misleading contacts made to 21CO patients following the breach prompted the Federal Trade Commission (FTC) to issue a specific notice alerting victims about potential false breach notifications and other misleading contacts.  See April 4, 2016 FTC Announcement Re: 21st Century Oncology breach exposes patients’ info.

These and other developments also had significant consequences on 21CO’s financial status and leadership.  By March 31, 2015, 21CO notified the SEC and investors that it needed added time to complete its financial statements.  Subsequent SEC filings document its restatement of financial statements, the departure of board members and other leaders,  default on credit terms, and ultimately its filing for Chapter 11 bankruptcy protection in the United States Bankruptcy Court for the Southern District of New York on May 25, 2017.

Insurer Funding $2.3 Million Settlement Payment For Bankrupt 21CO

The 21CO resolution agreement required bankruptcy court approval,  Funds for payment of the required $2.3 million resolution payment and other charges associated with the investigation apparently are being provided in part from breach liability insurance coverage provided under a policy issued by Beazley Insurance, as the Bankruptcy Court order directs Beazley Breach Response Policy No. W140E2150301 to make immediate payment to the OCR of the resolution amount and the payment of fees incurred by 21CO in connection with regulatory defense issues.

Settlements Highlight Growing Risks Of Noncompliance, Lack Data Security

One of a growing multitude of multimillion dollar HIPAA resolution agreements to avoid HIPAA civil monetary sanctions that OCR already has announced, the 21CO resolution agreement announcement also comes when a steady stream of reports of massive data breaches at Alteryx, eBay, Paypal owner TIO Networks, Uber, Equifax and a long list of other previously trusted prominent businesses are stoking government and public awareness and concern over health care and other data privacy and cybersecurity.  Beyond their potential HIPAA enforcement exposures, health care or other covered entities experiencing breaches often also face FTC or other government investigations and enforcement under the Fair and Accurate Credit Transactions Act (FACTA) and other federal or state identity theft, data privacy and security, electronic crimes and other rules as well as business losses and disruptions; civil litigation from breach victims, shareholders and investors, and business partners as well as OCR, FTC, and state data security regulation enforcement.  Amid this growing concern, OCR has indicated that it intends to continue to diligently both seek to support and encourage voluntary compliance by covered entities and their business associates and  investigate and enforce HIPAA against HIPAA covered entities and their business associates that fail to adequately safeguard PHI and ePHI in accordance with HIPAA. In the face of these growing risks and liabilities, covered entities and their business leaders face a strong imperative to clean up and maintain their HIPAA compliance and other data security to minimize their exposure to similar consequences.

In light of these rises, leaders, investors, insurers, lenders and others involved with covered entities and their business associates should take steps to verify that the covered entities and their business associates not only maintain compliance with HIPAA, but also maintain appropriate practices, insurance and other safeguards to prevent, respond to and mitigate exposures in the event of a breach of protected health information or other sensitive data.

As a part of this planning, covered entities and their business associates also generally will want to add consideration of changes to federal tax rules on the deductibility of compliance penalty and other related compliance expenditures.  While the Internal Revenue Code traditionally has prohibited businesses and individuals from deducting penalties, fines and other expenditures arising from violations of federal or state laws under Section 162(f) of the Internal Revenue Code, Section 13306 of the Tax Cuts and Jobs Creation Act creates a new exception for amounts  (other than amounts paid or incurred any amount paid or incurred as reimbursement to the government or entity for the costs of any investigation or litigation) that a taxpayer establishes meet the following requirements:

  • Constitute restitution (including remediation of property) for damage or harm which was or may be caused by the violation of any law or the potential violation of any law, or
  • Are paid to come into compliance with any law which was violated or otherwise involved in the investigation or inquiry into a violation or potential violation of any law;
  • Are identified as restitution or as an amount paid to come into compliance with such law, as the case may be, in the court order or settlement agreement, and
  • In the case of any amount of restitution for failure to pay any tax imposed under this title in the same manner as if such amount were such tax, would have been allowed as a deduction under this chapter if it had been timely paid.

Because the true effect of these modifications will be impacted by implementing regulations and a number of other special conditions and rules may impact the deductibility of these payments and the reporting obligations attached to their payment, covered entities will want to consult with legal counsel about these rules and monitor their implementation to understand their potential implications on compliance expenditures and penalties.

About The Author

Repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, a Fellow in the American College of Employee Benefit Council, the American Bar Foundation and the Texas Bar Foundation and board certified in labor and employment law by the Texas Board of Legal Specialization, Cynthia Marcotte Stamer is a practicing attorney, management consultant, author, public policy advocate and lecturer widely known for health and managed care, employee benefits, insurance and financial services, data and technology and other management work, public policy leadership and advocacy, coaching, teachings, and publications. Nationally recognized for her work, experience, leadership and publications on HIPAA and other medical privacy and data use and security, FACTA, GLB, trade secrets and other privacy and data security concerns, Ms. Stamer has worked extensively with clients and the government on cybersecurity, technology and processes and other issues involved in the use and management of medical, insurance and other financial, workforce, trade secrets and other sensitive data and information throughout her career.  Scribe or co-scribe of the ABA Joint Committee on Employee Benefits Agency meeting with OCR since 2011 and author of a multitude of highly regarded publications on HIPAA and other health care, insurance, financial and other privacy and data security, Ms. Stamer is widely known for her extensive and leading edge experience, advising, representing, training and coaching health care providers, health plans, healthcare clearinghouses, business associates, their information technology and other solutions providers and vendors, and others on HIPAA and other privacy, data security and cybersecurity design, documentation, administration, audit and oversight, business associate and other data and technology contracting, breach investigation and response, and other related concerns including extensive involvement representing clients in dealings with OCR and other Health & Human Services, Federal Trade Commission, Department of Labor, Department of Treasury, state health, insurance and attorneys’ general, Congress and state legislators and other federal officials.

Ms. Stamer also has an extensive contributes her leadership and insights with other professionals, industry leaders and lawmakers.    Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.


OCR Gives Health Care Providers, Other Covered Entities Post-Las Vegas Shooting HIPAA Medical Privacy Guidance On Disclosures To Family, Media & Others For Notification & Other Purposes

October 9, 2017

Widespread media coverage of this week’s Las Vegas, Nevada mass shooting (Las Vegas Shooting), and recent Hurricanes in Texas, Florida and Puerto Rico shows the barrage of requests for patient information from emergency and disaster response personnel, concerned family and friends, the media or others about the identity, status and other circumstances of patients and other individuals that health care providers caring for patients following a mass disaster or other emergency.

The tight restrictions and potentially stiff penalties authorized under the Health Insurance Portability And Accountability Act (HIPAA) Privacy and Security Rule (Privacy Rule)  on health care providers, health plans, and health care clearinghouses (Covered Entities) for improperly disclosing information about identifiable patients under the Privacy Rule necessitate that health care providers and other Covered Persons exercise great care to ensure that statements and other disclosures of identifiable patient information either are authorized in writing in accordance with HIPAA or otherwise specifically allowed under the Privacy Rule. See, e.g., $2.4M HIPAA Settlement Warns Providers About Media Disclosures Of PHI; $2.4M HIPAA Settlement Message Warns Health Plans & Providers Against Sharing Medical Info With Media, Others;  $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use.

Following the Las Vegas Shooting, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) on October 3, 2017 issued an announcement on “Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification” (Announcement) intended to clarify certain limited situations when OCR interprets the Privacy Rule as allowing Covered Entities to disclose PHI to individuals involved in the patient’s care, the media or other parties not involved in the patient’s care for notification purposes without prior patient authorization.  Health care providers and other Covered Entities should review and update their existing Privacy Rule policies, practices and training in response to this and other evolving guidance to help prepare their teams appropriately to respond to family, media and other inquiries about patients in emergency and other circumstances.

Privacy Rule Generally

While mass shooting events like the Las Vegas Shooting, recent hurricanes, Ebola or other contagious disease outbreak and other mass injury or illness events garner widespread media and public attention, health care providers and other Covered Entities also regularly field requests for PHI about current or former patients from family and others involved in patients’ care or treatment, law enforcement, law enforcement, and the media or other members of the general public not involved in patient care.

The Privacy Rule generally requires Covered Entities to keep confidential, and prohibits Covered Entities from disclosing individually identifiable health care information about a patient that qualifies as “protected health information” or “PHI” without first obtaining a HIPAA-compliant authorization unless the disclosure meets all the requirements to fall under an exception defined in the Privacy Rule.

Since HIPAA’s broad definition of PHI encompasses even the name, identity and even existence of a patient, as well as more specific information about the current or past health condition and treatment of a patient, health care providers and other Covered Entities must prepare and train their staff to be prepared appropriately to comply with the Privacy Rules even when considering disclosing PHI to identify an incapacitated patient, notify or respond to inquiries of family or others involved in caring for patient during an emergency or disaster.

As OCR guidance consistently reaffirms, the Privacy Rule’s general prohibition against PHI without prior patient authorization and other requirements generally still apply during public health or other emergencies.[1] While Social Security Act § 1135(b)(7) allows HHS temporarily to waive sanctions and penalties for violations of some, but not all Privacy Rule requirements by a covered hospitals operating under disaster protocols during periods the President declares an emergency or disaster and the HHS Secretary declares a public health emergency as in response to Hurricanes Katrina,[2]Harvey,[3] Irma,[4]  and Maria,[5] this relief is rarely applicable, and limited in scope, applicability and duration.[6]  Consequently, Covered Entities still need to ensure that any contemplated disclosure is either authorized or meets all requirements the Privacy Rule requires to fall under an exemption to its general prohibition against unauthorized disclosure to avoid becoming subject to civil or even criminal sanctions under the Privacy Rule even when responding to inquiries during mass disaster, public health emergency or other exigent circumstances.

As discussed in November 2016 OCR Bulletin On HIPAA Privacy in Emergency Situations, the Privacy Rule includes various exceptions that may allow a health care provider or other Covered Entity to disclose the PHI of a patient involved in a public health or other emergency without patient authorization including:

  • PHI about the patient necessary to treat the patient or to treat a different patient including the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501;
  • To a public health authority, such as the Centers for Disease Control and Prevention (CDC) or a state or local health department, authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. See 45 CFR §§ 164.501 and 164.512(b)(1)(i);
  • As necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public when consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j);
  • To a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care or as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death provided that the Covered Entity gets at least verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible; or if the individual is incapacitated or not available, in the Covered Entity’s professional judgment, doing so is in the patient’s best interest. See 45 CFR 164.510(b);
  • With disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death without authorization if doing so would interfere with the organization’s ability to respond to the emergency; or
  • Limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) to the media or others not involved in the care of the patient upon request for information about a particular patient by name, if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. See 45 CFR 164.510(a).

See also Compliance Guidance and Enforcement Statement.

Announcement Clarifies Privacy Rules For Disclosures To Individuals Involved In Patient’s Care; For Notification; And To Media Or Others Not Involved In Patient Care

The new OCR Announcement provides clarification of the applicability of the Privacy Rule exemptions regarding disclosures of PHI by health care providers or other Covered Entities:

  • To individuals involved in the patient’s care or for notification purposes; or
  • To media or other individuals not involved in the patient’s care.

In addition, the Announcement also reminds Covered Entities:

  • Of their responsibility to limit disclosures made without HIPAA-compliant patient authorization other than for treatment purposes to the minimum necessary,
  • That the Privacy Rule allows Covered Entities to rely upon certifications that information requested by public health authorities or officials that the information requested is the minimum necessary; and
  • To continue to enforce role-based restrictions on PHI.
  • Disclosures to Family, Friends, Disaster Relief Responders and Others Involved in an Individual’s Care and for Notification

Privacy Rule §164.510(b) permits a Covered Entity to share PHI:

  • With a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.
  • About a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death.  This may include, where necessary to notify family members and others, the police, the press, or the public at large.  See Privacy Rule § 164.510(b).

When making such disclosures, the Announcement states a Covered Entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible.

Concerning patients who are unconscious or incapacitated, the OCR guidance also states that a health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider in its professional judgement determines that doing so is in the best interests of the patient.

In addition, OCR says Covered Entities also may share PHI with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death.  When disclosing PHI to disaster relief organizations, the Announcement states it is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

  • Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification

As the Las Vegas Shooting illustrates, health care providers and other Covered Entities caring for patients during public health or other emergency situations often must deal with news or other media crews on or around treatment or other health care facilities and media and inquiries from the media or others about the identity, status or other PHI of patients. OCR’s past imposition of stiff penalties against other Covered Entities for improperly disclosing patient PHI to the media or the public without authorization alert Covered Entities of HIPAA risks of failing to properly control access and disclosures of PHI to the media or other general public without obtaining prior written authorization from patients or their personal representatives. See e.g., $2.4M HIPAA Settlement Warns Providers About Media Disclosures Of PHI. See also HIPAA Sanctions Triggered From Covered Entity Statements To Media, Workforce.

Previously issued OCR guidance makes clear that health care providers and other Covered Entities risk sanction both from allowing media or other members of the public inappropriate access to patient treatment or other areas with unsecured PHI as well as media statements and other disclosures of PHI to the media or public without first obtaining a HIPAA-compliant authorization except under narrow circumstances specified in the Privacy Rule.. See 45 CFR 164.510(a). OCR FAQ on Disclosures to the Media, for instance, states:

“the HIPAA Privacy Rule does not permit health care providers to disclose PHI to media personnel, including film crews, without having previously obtained a HIPAA-compliant authorization signed by the patient or his or her personal representative. In other words, health care providers may not allow members of the media, including film crews, into treatment areas of their facilities or other areas where PHI will be accessible in written, electronic, oral or other visual or audio form, without prior authorization from the patients who are or will be in the area or whose PHI will be accessible to the media.  It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixilation, or voice alteration software) for whom an authorization was not obtained, because the HIPAA Privacy Rule does not allow media access to the patients’ PHI, absent an authorization, in the first place.

In addition, the health care provider must ensure that reasonable safeguards are in place to protect against impermissible disclosures or to limit incidental disclosures of other PHI that may be in the area but for which an authorization has not been obtained.

While emphasizing the Privacy Rule’s general requirement to secure advance authorization, OCR FAQ on Disclosures to the Media also recognizes the following “very limited situations” that the Privacy Rule permits a Covered Entity to disclose limited PHI to the media without obtaining a HIPAA authorization:

  • A Covered Entity may disclose limited PHI about an unidentified incapacitated patient to the media seek to have the media help identify or locate the family of an unidentified and incapacitated patient in its care if, in the hospital’s professional judgment, doing so is in the patient’s best interest.  See 45 C.F.R. 164.510(b)(1)(ii);
  • A Covered Entity may disclose a patient’s location in the facility and condition in general terms that do not communicate specific medical information about the individual to any person, including the media, without obtaining a HIPAA authorization where the individual has not objected to his information being included in the facility directory, and the media representative or other person asks for the individual by name.  See 45 C.F.R. 164.510(a);
  • The HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public, which may include public waiting areas or areas where the public enters or exits the facility;
  • A health care provider may utilize the services of a contract film crew to produce training videos or public relations materials on the provider’s behalf if certain protections are in place.  If patients are to be identified by the provider and interviewed by a film crew, or if PHI might be accessible during filming or otherwise disclosed, the provider must enter into a HIPAA business associate agreement with the film crew acting as a business associate.  Among other requirements, the business associate agreement must ensure that the film crew will safeguard the PHI it obtains, only use or disclose the PHI for the purposes provided in the agreement, and return or destroy any PHI after the work for the health care provider has been completed.  See 45 C.F.R. 164.504(e)(2).  As a business associate, the film crew must comply with the HIPAA Security Rule and a number of provisions in the Privacy Rule, including the Rule’s restrictions on the use and disclosure of PHI.  In addition, authorizations from patients whose PHI is included in any materials would be required before such materials are posted online, printed in brochures for the public, or otherwise publicly disseminated; and
  • Covered Entities can continue to inform the media of their treatment services and programs so that the media can better inform the public, provided that, in doing so, the Covered Entity does not share PHI with the media without the prior authorization of the individuals who are the subject of the PHI.

The Announcement reaffirms the general principles stated in this and other prior guidance concerning Covered Entities dealings with the media and public and clarifies its interpretation about what PHI, if any, the Privacy Rule allows hospitals and other health care providers about PHI may share in response to requests from the media or other individuals not involved in the care of a patient without first obtaining an authorization.

The Announcement reaffirms that affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient) that complies with HIPAA’s authorization requirements. See 45 CFR 164.508.

The Announcement also clarifies, however, that Covered Entities that are hospitals or health care facilities that receive a request for information about a particular patient by name may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.

  • Minimum Necessary Requirements & Other Privacy Rule Responsibility Reminders

The Announcement also cautions Covered Entities of the need to ensure beyond ensuring that a disclosure falls under a Privacy Rule exception, Covered Entities also need to ensure that other requirements of the Privacy Rule applicable to the disclosure also are met.  In this respect, the Announcement cautions Covered Entities that the Privacy Rule requires they limit any otherwise permitted disclosure of PHI other than for treatment purposes made without obtaining a HIPAA-compliant patient authorization to the minimum necessary to achieve the allowed purpose, while also reminding Covered Entities that when making disclosures otherwise permitted to public health authorities or public officials, the Privacy Rule allows the Covered Entity to rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose.

Furthermore, the Announcement also warns Covered Entity that they should continue to apply their role-based access policies to limit access to PHI to only those workforce members who need it to carry out their duties. See Privacy Rules §§ 164.502(b), 164.514(d).

In addition to keeping in mind these Privacy Rule conditions, Covered Entities also need to take steps to ensure that their organizations and workforce also continue to follow all necessary procedures to ensure that their organizations can demonstrate continued compliance with other Privacy Rule requirements on verification, documentation and recordkeeping, accounting for disclosure, business associates and the like.  In this regard, it is important that Covered Entities and their business associates take appropriate steps to ensure that their workforce carefully creates and retains the documentation and records needed to defend their actions as well as to respond to HHS requests and/or requests for accounting or disclosure that might arise in the future.

Required Action: Review & Update Emergency & Other Practices, Training In Response To Evolving Guidance

The Privacy Rules and other OCR guidance make clear that health care providers and other Covered Entities and their business associates are expected both to implement and maintain their practices, policies, workforce training and safeguards appropriately to control use, access and disclosure in emergency and other situations as well as to implement the necessary systems and safeguards to protect sensitive PHI, electronic PHI and associated records and system from improper access from the media or others and damage or destruction from disaster or other events.

In recognition that maintaining Privacy and Security Rule Compliance can prove challenging for Covered Entities and their business associates during emergency or other exigent events, OCR has published various other guidance it hopes will help Covered Entities and business associates prepare for and respond to these challenges including its Disclosure For Emergency Preparedness Decision Tool; and Public Health Authority Disclosure Request Checklist.

Covered Entities and their business associates should act promptly to review and update their policies, practices, safeguards and workforce training as needed in response to the new Announcement and other OCR guidance promptly.

About The Author

Repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, a Fellow in the American College of Employee Benefit Council, the American Bar Foundation and the Texas Bar Foundation and board certified in labor and employment law by the Texas Board of Legal Specialization, Cynthia Marcotte Stamer is a practicing attorney, management consultant, author, public policy advocate and lecturer widely known for health and managed care, employee benefits, insurance and financial services, data and technology and other management work, public policy leadership and advocacy, coaching, teachings, and publications. Nationally recognized for her work, experience, leadership and publications on HIPAA and other medical privacy and data use and security, FACTA, GLB, trade secrets and other privacy and data security concerns, Ms. Stamer has worked extensively with clients and the government on cybersecurity, technology and processes and other issues involved in the use and management of medical, insurance and other financial, workforce, trade secrets and other sensitive data and information throughout her career.  Scribe or co-scribe of the ABA Joint Committee on Employee Benefits Agency meeting with OCR since 2011, Ms. Stamer extensive experience, advising, representing, training and coaching health care providers, health plans, healthcare clearinghouses, business associates, their information technology and other solutions providers and vendors, and others on HIPAA and other privacy, data security and cybersecurity design, documentation, administration, audit and oversight, business associate and other data and technology contracting, breach investigation and response, and other related concerns including extensive involvement representing clients in dealings with OCR and other Health & Human Services, Federal Trade Commission, Department of Labor, Department of Treasury, state health, insurance and attorneys’ general, Congress and state legislators and other federal officials.

Ms. Stamer also has an extensive contributes her leadership and insights with other professionals, industry leaders and lawmakers.    Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here. For additional information about Ms. Stamer, see here, e-mail her here or telephone Ms. Stamer at (214) 452-8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

[1] See e.g. OCR Bulletin: HIPAA Privacy in Emergency Situations (November 2014).

[2] Disclosing PHI in Emergency Situations; Compliance Guidance and Enforcement Statement.

[3] August 2017 Hurricane Harvey Bulletin.

[4] September 2017 Hurricane Irma Bulletin.

[5] September 2017 Hurricane Maria Bulletin

[6] The HIPAA Privacy Rule is not suspended during a public health or other emergency; however, Section 1135(b)(7) of the Social Security Act allows HHS to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the Privacy Rule events if the President declares an emergency or disaster and the Secretary declares a public health emergency:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).

If the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency

period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.  See also Social Security Act 1135(b)(7);  Frequently Asked Question: HIPAA waiver during a national or public health emergency; OCR Bulletin: HIPAA Privacy in Emergency Situations (November 2014).


6/16 Feedback Deadline For CDC Legal Epidemiology Competency Model; Other Legal Epidemiology Resources

June 1, 2017

Public health and other health care, employer and other business, education, community services, law enforcement and other government and community leaders and their legal and other advisers should check out and provide feedback to the Centers for Disease Control (CDC) on the new draft Legal Epidemiology Competency Model (LECM) and other CDC resources designed to help the U.S., its organizations, communities and people prepare for and respond to epidemic and other public health and disease concerns.

National and international concern about the outbreak and management of deadly Ebola and other pandemics, bioterrorism and other terrorism attacks, national disasters and other public health risks have sensitized Americans and their business, community and governmental leaders to the potential community wide risks of these and other public health events, the legal and operational challenges that often arise in the course of responding to these risks, and the helpfulness if not necessity of community-wide involvement, preparation and collaboration to the effectiveness of efforts to prepare for and respond to these occurrences.

In recognition of these realities, the CDC is stepping up its efforts both to understand better, and to to educate and support relevant components of U.S. communities, their advisers, researchers and leaders about these public health challenges including the relationships and influences between the occurrence and management of these public health events and the law (“legal epidemiology.”)

Widespread public and private concern and coverage of terrorism attacks and pandemic outbreaks have reinvigorated CDC’s emphasis and efforts to outreach to health care providers, public health, school, and other community organizations, employers and other business leaders and others.  In response to government and public Ebola and other epidemic and pandemic out breaks, for instance, the CDC in recent years has stepped up both its public communications about epidemic and other public health risks and its emphasis upon understanding and developing legal epidemiology practices and resources.   For instance, the death of an Ebola patient in Dallas and subsequent diagnosis of various other victims of Ebola and other pandemic diseases within or potentially traveling to the United States, reinvigorated the emphasis and efforts of  the CDC and other federal and state agencies and other public and private organizations and groups to help law and policy makers prepare for and respond to pandemic and other public health concerns.

While much of the increased or updated CDC knowledge and guidance focuses on improving understanding and communications targeting a specific public health risk or situation, such as the updated State Ebola Protocols Table specifically to support preparedness for and responsiveness Ebola-related situations, the CDC also now recognizes the need to understand and address more generally the emerging area of legal epidemiology.

As part of its efforts to promote better understanding and resources to address legal epidemiology challenges, CDC recently released and now is inviting input on a new draft LECM developed by the CDC in collaboration with a “multidisciplinary expert review  workgroup” as a resource to provide helpful information and support to lawyers, researchers, and others whose work explores how laws can play a role in the cause, distribution, and prevention of disease and injury or otherwise engaged in projects focused at the intersection of law and epidemiology, referred to as “legal epidemiology.”

Recognizing the growing importance of legal epidemiology, the CDC now is inviting input from the broad public health community, as well as from those engaged directly in legal epidemiology work to help CDC further refine the LECM.  While the CDC is inviting interested persons to review the draft LECM and share thoughts on any aspect of the model, CDC has indicated that CDC particularly is interested in reactions and suggestions related to any of the following questions:

  • Does the LECM reflect the requirements for truly effective performance of legal epidemiology?
  • Are there concepts that should be added or removed?
  • Are the behavioral statements in the draft LECM representative of how legal epidemiologists demonstrate competency in their work?
  • Does the draft LECM accurately reflect the knowledge, skills, and abilities that legal epidemiologists must demonstrate in your organization?
  • How might you use the LECM in your work?

Parties wishing to provide feedback should submit their feedback by Friday, June 16, 2017 in accordance with the instructions shared here or by email to Janelle Nichols at jnichols@phf.org.

Coincident with CDC’s release of the draft LECM for public comment, the CDC PHLP is working to expand awareness and understanding of the emerging field of legal epidemiology.

As part of these efforts, CDC recently released an updated version of its Criminal and Epidemiological Investigations Handbook. Offered in English, Spanish and French, this latest version provides an overview of criminal and epidemiological investigation procedures involving interactions between law enforcement and public health. It is designed to help teach public health and law enforcement how to work together to identify the biological agent, prevent the spread of the disease, avoid public panic, and apprehend those responsible.

CDC also is offering in collaboration with the National Environmental Health Association, a series of webinars on legal epidemiology.  The second webinar in a three-part series of free programs on legal epidemiology titled “Legal Epidemiology, Part 2: A Tool for Evaluating the Impact of Environmental Public Health Laws,” scheduled to take place on June 14, 2017, 1:00–2:30 pm (EDT) will feature speakers from PHLP, highlight variations in state law provisions related to environmental public health issues, and describe related legal epidemiology methods. It will also offer abbreviated training in the principles of legal epidemiology, give examples of its application to environmental public health law, and allow participants to ask questions.  For more details about the program or participation, see here.

About The Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for work, teachings and publications.

Ms. Stamer works domestically and internationally with health, insurance and financial services, data and technology, services and consulting, energy, retail, hospitality and other businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well-known for her extensive work with health, insurance, financial services, technology, energy, manufacturing, retail, hospitality and governmental employers, her nearly 30 years’ of experience encompasses domestic and international businesses of all types and sizes.A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and advisor to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group; immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.

Author of “Privacy & Pandemic: A Workshop & Materials” presented to the ASTHO and a multitude of other pandemic, occupational health and other public health law and management matters, Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health care, privacy, human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other regulatory and operational risk management for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.

Want to know more? See here for details about the author of this update, attorney Cynthia Marcotte Stamer, e-mail her here or telephone Ms. Stamer at (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.SolutionsLawPress.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The publisher and the author expressly disclaim all liability for this content and any responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.


CDC Public Health Externship Applications Due 1/31

January 22, 2017

January 31 is the deadline for students interested in careers in public health to apply for Summer, 2017 externships with the Center for Disease Control (CDC).

CDC offers several opportunities.  Second and Third Year law students can apply to the Public Health Law Program (PHLP) for a 2017 Summer Externship in public health law and tribal public health law.  PHLP also offers administrative and communication externships for students enrolled in masters-level programs in public health, public policy, public administration, communication, business, or similar disciplines. The externship consists of 9–14 weeks of professional work experience with PHLP in Atlanta, Georgia.

Applications for the spring 2017 externships are due by January 31, 2017.  See Public Health Law Program Externships Summer 2017.

About The Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of  “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely known for work, teachings and publications on HIPAA and other privacy and data security concerns earned in connection with her more than 28 years’ of involvement advising and representing business and government clients domestically and internationally about workforce and human resources, employee benefits; health care; insurance and financial; privacy and data security and other performance management, regulatory, internal controls and other compliance, risk management, public policy and operational other key concerns.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, past Group Chair and current Defined Contribution Plans Committee Co-Chair, Groups and Substantive Committee and Membership Committee Members, past Welfare Plans Committee Chair and Co-Chair, and former Fiduciary Responsibility Vice Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current ABA International Section Life Sciences Committee Vice Chair, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, former ABA Joint Committee on Employee Benefits Council Representative and Marketing Committee Chair and a prolific author and highly popular speaker and consultant, Ms. Stamer helps management manage.

Ms. Stamer’s legal and management consulting work throughout her nearly 30-year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

As a core component of her work,  Ms. Stamer has worked extensively throughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and representing clients on privacy and data security concerns and other health industry matters, Ms. Stamer also has served for several years as a scrivener for the ABA JCEB’s meeting with OCR, the Chair of the Southern California ISSA Health Care Privacy & Security Summit, and an editorial advisory board member, author, program chair or steering committee member, and faculties for a multitude of other programs and publications regarding privacy, data security, technology and other compliance, risk management and operational concerns in the health care, health and other insurance, employee benefits and human resources, retail, financial services and other arenas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com  or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at  http://www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™  All other rights reserved.


CDC Public Health Intership Opportunities Announced

March 31, 2016

By:  Cynthia Marcotte Stamer

The Centers for Disease Control (CDC) Public Health Law Program (PHLP) is inviting students enrolled in masters-level programs earning degrees in public health, public policy, public administration, communication, business, or similar disciplines to apply for a 9–14 week long Administrative and Communication Internship/Externship in Atlanta, Georgia.

With rolling start and completion dates during the academic year, CDC says the  unpaid internship/externship exposes students to high-level strategic planning and other program functions, including marketing, communication, project management, and partner engagement.

Listed responsibilities of internship/externship are to:

  • Help write and research breaking stories and relevant commentary for PHLP publications and communications, including Public Health Law News
  • Provide coverage highlights of state and federal congressional hearings, regulatory meetings, and other events driving news about public health
  • Help maintain listservs, communications archives, and PHLP’s website content
  • Help design and execute PHLP’s marketing and communication plans
  • Coordinate webinars and trainings with partner organizations

Applicants for the program must meet the following qualifications:

  • Currently enrolled in a masters-level public health, public policy, public administration, communication, business, or other related program
  • Excellent communication and time managements skills
  • Ability to work effectively, both independently and as part of a team, in a fast-paced environment

CDC says these internships/externships are unpaid. Internships are not tied to academic credit. Externship and practicum opportunities are available for students seeking academic credit as authorized by law schools or schools of public health.

To apply, CDC invites interested persons to send a resume and cover letter to phlawprogram@cdc.gov by the applicable of the following deadlines:

  • Summer–February 28
  • Fall—May 31
  • Spring—November 1

About The Author

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble; as among the “Best Lawyers In Dallas 2015 by D Magazine; and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, the author of this update, attorney Cynthia Marcotte Stamer, more than 28 years of extensive experience representing and advising health industry clients and others on these and other regulatory, risk management, public policy and operations matters.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Board Certified in Labor & Employment Law, and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

Other Helpful Resources & Other Information

Solutions Law Press, Inc.™ hopes that this information is useful to you. If you found these updates of interest, you also be interested in  other recent Solutions Law Press, Inc. training, articles and resources.  You can see more articles from this Health Care Update electronic publication, the Coalition for Responsible Health Care Reform electronic publication, our electronic HR & Benefits Update and other publications like the following and get information about training and other resources at www.Solutionslawpress.com:

OCR’s Proposed Sex & Other Discrimination Rules Spell Headaches & New Risks For Health Care Providers, Insurers & Other

You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can access other recent updates and other informative publications and resources here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

 

©2016 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.


Health Care Providers & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 24

August 24, 2009

Register Now To Participate in September 9  “HITECH Act Health Data Security & Breach Update”

Health care providers, health clearinghouses, health plans and their business associates generally must start complying with new federal data breach notification rules on September 24, 2009. 

The new “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here in today’s Federal Register requires health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) covered under the personal health information privacy and security rules of the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information. The Breach Regulation is part of a series of guidance that HHS is issuing to implement new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).

You are invited to catch up on what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time.

HITECH Act Data Breach and Unsecured PHI Rules

Scheduled for publication in the Federal Register on August 24, 2009, the new Breach Regulation implements the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, when a breach of “unsecured protected health information” happens and the form, manner, and timing of that notification. Covered Entities must begin complying with the new Breach Regulation on September 24, 2009. 

Part of a series of new HHS rules implementing recent changes to HIPAA enacted under the HITECH Act to strengthen existing federally mandates requiring Covered Entities to safeguard protected health information, the Breach Regulation will obligate Covered Entities and business associates to provide certain notifications following a breach of “protected health information” that not secured at the time of the breach through the use of a technology or methodology meeting minimum standards issued by HHS pursuant to other provisions of the HITECH Act.

Under the HITECH Act, the breach notification obligations contained in the Breach Notification only apply to a breach of “unsecured protected health information.” The Breach Regulation exempts breaches of protected health information that qualify as “secured” under separately issued HHS and Federal Trade Commission (FTC) standards for encryption and destruction of protected health information from its breach notification requirements.  

For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the Covered Entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act.  Earlier this year, HHS and the FTC issued interim rules defining the minimum encryption and destruction technologies and methodologies that Covered Entities must use to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals for purposes of determining when protected health information is “unsecured” for purposes of the HITECH Act.  Concurrent with its publication of the Breach Regulation, HHS also released guidance updating and clarifying this previously issued guidance. 

Read the Breach Regulation here.  To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

September 9 “HITECH Act Health Data Security & Breach Update” Briefing

Interested persons are invited to register here now  to learn what these new rules mean for your organization and how it must respond by participating in the “HITECH Act Health Data Security & Breach Update” on Wednesday, September 9, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201.  For information about registering for this program or other questions here 

Conducted by Curran Tomko and Tarski LLP Partner Cynthia Marcotte Stamer, the briefing will cover:

  • Who must comply
  • What your organization must do
  • How to qualify protected health information as exempt from the breach regulations as “secure” protected health information
  • What is considered a breach of unsecured protected health information
  • What steps must a covered entity take if a breach of unsecured protected information happens
  • What liabilities do covered entities face for non-compliance
  • What new contractual requirements, policies and procedures Covered Entities and Business Associates will need
  • How the Breach Regulation, the Privacy Regulation, impending FTC red flag rules and state data breach and privacy rules interrelate
  •  Other recent developments
  • Practical tips for assessing, planning, moving to and defending compliance
  • Participant questions
  • More 

About The Presenter

 The program will be presented by Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.  Ms. Stamer is nationally known for her work, publications and presentations on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts. 

Vice President of the North Texas Health Care Compliance Professionals Association  and Past Chair of the ABA Health Law Section Managed Care & Insurance Section, and Former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 20 years experience advising clients about health and other privacy and security matters.  A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters.  Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications.  For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.  

We hope that this information is useful to you.  If you need assistance monitoring, evaluating or responding to these or other compliance, risk management, transaction or operation concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or another Curran Tomko Tarski LLP Partner of your choice.

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Curran Tomko Tarski LLP publications available for review here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@cttlegal.net.

©2009 Cynthia Marcotte Stamer.   All rights reserved. 

 


%d bloggers like this: