TSHHRAE Provides Health Industry Managers Employment Law Update & Other Timely Management Training At April Barnstorm 2010: Creating Effective Leaders Programs

March 23, 2010

Get Details & Registration Information here!

A Legal Update on Employment Law presentation by Attorney Cynthia Marcotte Stamer is among 5 hours of “Barnstorm 2010: Creating an Effective Leaders-Tools of the Trade” management training that the Texas Society for Healthcare Human Resources Administration and Education (TSHHRAE) will be hosting for health industry human resources and other managers in five Texas cities between April 26 and April 30, 2010. 

Interested health industry human resources and other managers can elect to participate in TSHHRAE’s Barnstorm 2010 management training at the following dates and locations:  

  • April 26 – Weslaco, Knapp Medical Center
  • April 28 – Sweetwater, Rolling Plains Memorial Hospital
  • April 28 – Brenham, Trinity Medical Center
  • April 29 – Lubbock, University Medical Center
  • April 30 – Odessa, Medical Center Hospital

Update on Employment Law Program Highlights

Ms. Stamer’s Legal Update on Employment Law Program will address:

  • Recent changes in FMLA, Military Leave, wage and hour, ADA & other disability, COBRA, GINA, HIPAA and other selected federal & Texas employment laws and regulations;
  • Rising government enforcement of EEOC, HIPAA, wage & hour, worker classification, and other laws and regulations;
  • Recent developments and increases in retaliation claims;
  • Recent cases related to supervision; and
  • Other selected developments impacting health industry human resources management.

Other Barnstorm 2010 Program Highlights and Details

In addition to the Legal Update on Employment Law that Ms. Stamer is scheduled to present, the Barnstorm Program also will feature presentations on:

  • Leadership in 2010
  • Dealing with Poor Performers; and
  • Cultivating a Superstar

For registration and other information about the Barnstorm Program, see here.

About Ms. Stamer

Nationally and internationally recognized for more than 22 years of work with health industry and other organizations, publications, workshops and presentations and leadership on health industry and other labor and employment, staffing and credentialing, employee benefits, performance management and discipline, regulatory compliance and internal controls, risk management, and public policy matters, Ms. Stamer is Chair of the Curran Tomko Tarski Labor & Employment & Health Care Practice Groups, Vice President of the North Texas Health Care Compliance Professionals Association, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is.  The publisher of Solutions Law Press HR & Benefits Update, the Solutions Law Press Health Care Update, and Solutions Law Press Health Care Privacy & Technology Update and a former legal columnist for MD News, Ms. Stamer also is a popular speaker and author of these topics.  She regularly speaks and conducts training for the ABA, American Health Lawyers Association (AHLA), Health Care Compliance Association, Institute of Internal Auditors, Harris County Medical Society, the Medical Group Management Association, SHRM, Southwest Benefits Association and many other organizations.  Publishers of her many highly regarded writings on health industry and human resources matters include the Bureau of National Affairs, Aspen Publishers, ABA, AHLA, Spencer Publications, World At Work, SHRM, Business Insurance, James Publishing and many others.  You can review other highlights of Ms. Stamer’s health care experience here, and employment experience hereHer insights on these and other matters appear in Managed Care Executive, Modern Health Care, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, MDNews, Kentucky Physician, and many other national and local publications.

If you need assistance with health industry human resources or other management, concerns, wish to inquire about compliance, risk management or training, or need legal representation on other matters please contact Cynthia Marcotte Stamer at cstamer@cttlegal.com or 214.270.2402. 

Other Resources

If you found this information of interest, you also may be interested in reviewing other updates and publications by Ms. Stamer including:

For More Information

We hope that this information is useful to you.  If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

©2010 Cynthia Marcotte Stamer.  All rights reserved.

HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website

February 25, 2010

By Cynthia Marcotte Stamer

The Department of Health and Human Services Office of Civil Rights (OCR) has begun posting on its website the names and certain information about health care providers, health insurers,  employer and other health plans, health care clearinghouses and their business associates (Covered Entities) reporting to OCR “breaches” of “unsecured protected health information” (UPHI) under new breach notice rules added by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Covered Entities should anticipate the posting of the breach information and other HITECH Act breach notices coupled with amendments to the medical privacy and security requirements of the Health Insurance Portability & Accountability Act (HIPAA) effective since February 17, 2010, will heighten enforcement risks and public sensitivities about medical information privacy safeguards.  As failing to comply with the amended rules effective February 17, 2010 can trigger obligations under the Breach Regulations and other significant liability exposures, Covered Entities should act quickly to manage these emerging risks.

Covered Entity Breach Notification Requirements

The initial list of Covered Entities reporting  breaches of UPHI affecting 500 or more individuals posted by OCR on February 22, 2010 discloses the Covered Entity’s name and State, the approximate number of individuals affected, the date and type of breach and the location of the breached information. OCR’s posting of this information is required under the HITECH Act breach notification requirements as part of its implementation and enforcement of new breach notification requirements added to HIPAA by Section 13402(e)(3) of the HITECH Act.

The HITECH Act amended HIPAA to require Covered Entities to require Covered Entities provide notification to individuals, OCR and others when certain breaches of UPHI happen.  The implementing interim “Breach Notification For Unsecured Protected Health Information” regulations (Breach Regulation) published by OCR here require Covered Entities subject to HIPAA to notify affected individuals, OCR and in some cases the media within specified periods following a “breach” of UPHI occurring on or after September 23, 2009 unless the Covered Entity can demonstrate that the breach qualified as exempt from the breach notification obligation under the Breach Regulations.

Covered Entities generally should consider the need to provide breach notification under the Breach Regulation whenever electronic or non-electronic protected health  information which is not adequately encrypted or destroyed to qualify as “secured” under the breach rules is used, accessed or disclosed in violation of HIPAA.  

Since the potential need to provide breach notification is triggered by an impermissible use, access or disclosure of UPHI, up-to-date maintenance, monitoring and enforcement is at the heart of compliance with the Breach Regulation as well as HIPAA generally.

You can review the currently posted list of Covered Entities that have reported breaches on the OCR website here.  Learn more about the Breach Regulation requirements here

Broader & Stricter Medical Privacy Mandates Effective 2/17/210

The new breach notification requirements are part of a series of changes made to HIPAA under the HITECH Act that are increasing the responsibilities and liability exposures of Covered Entities. On February 17, 2010, Covered Entities and their business associates also became subject to tighter federal requirements for the use, access, protection and disclosure of protected health information under amendments to HIPAA’s Privacy & Security Standards enacted in the HITECH Act. When the HITECH Act was signed into law on February 17, 2009, Covered Entities also became subject to expanded sanctions and remedies for HIPAA violations.

To comply with the HITECH Act changes to HIPAA effective on February 17, 2010, most Covered Entities and their business associates generally will need to update their written policies, operational procedures, technical safeguards, privacy notices, vendor and other agreements, training, and other management procedures in several respects. For more details, see here.

While the HITECH Act gave Covered Entities and business associates a year to complete the necessary arrangements to comply with these HITECH Act changes, many Covered Entities and business associates have not adequately implemented the necessary arrangements. To mitigate these exposures, Covered Entities and their business associates should act quickly to review and update their policies, procedures, training, business associate and other services agreements, and other practices and procedures, as well as to implement the training, oversight, and other management necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

Exposures Significant & Growing

HIPAA-associated exposures for Covered Entities are significant and growing. Timely action to comply with the amended HIPAA requirements and Breach Regulations is important to avoid triggering the breach notification requirements; to prevent loss of public trust and reputation;  and to minimize exposures to legal actions, administrative complaints and sanctions and the  investigation, defense and correction costs likely to result when a Covered Entity violates or is accused of violating HIPAA or otherwise mishandling medical or other personal information. 

Even before the HITECH Act changes became effective, federal regulators were stepping up HIPAA enforcement. The HITECH Act amendments further increase the risk that Covered Entities violating HIPAA face investigation and sanction. The HITECH Act amendments increase the likelihood that Covered Entities violating HIPAA will get caught and will face some form of damage or penalty assessment.  Heightened awareness of UPHI breaches resulting from HITECH Act mandated breach notifications are likely to fuel new HIPAA-related complaints, charges and demands.  Covered Entities, workforce members who wrongfully access protected health information now face potential civil penalties,  criminal prosecution, civil lawsuits and other actions. Allowing state attorneys general to bring suit adds more manpower to the enforcement team.   Furthermore, the wrongful use, access or disclosure of protected health information or other confidential information also increasingly is the basis of civil or criminal actions brought under a variety of other federal and state laws.

New Risks Created By HITECH Act Amendments

Heightened HIPAA exposures stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions.  Among other things, the HITECH Act amended HIPAA to:

  • Allow a State Attorney General to sue Covered Entities that commit HIPAA violations after February 16, 2009 for damages caused to state citizens;
  • Expand the mandate by OCR to investigate violations and audit compliance with HIPAA;
  • Require OCR to impose civil sanctions against Covered Entities and business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
  • Revise the criminal sanctions that the Department of Justice can seek against Covered Entities and others for violations of HIPAA; and
  • Amend HIPAA to make clear that workforce members and others improperly using, accessing or disclosing protected health information in violation of HIPAA can face criminal prosecution.

State Attorney General Lawsuit Exposures

Covered Entities must be concerned about the potential that a state Attorney General may bring civil suit to remedy damages caused to state citizens by a breach of HIPAA.  In certain situations, the HITECH Act empowers a state attorney general to sue Covered Entities for damages if their HIPAA violations harm state citizens. Statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs are authorized.

A HIPAA civil lawsuit demonstrates the willingness of at least some states to exercise the new authority to sue Covered Entities. On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.   The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers. The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net. 

Stepped Up Federal Enforcement

Even before the HITECH Act amendments, OCR and Department of Justice increased HIPAA investigation and enforcement.  The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA.  See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health InformationMeanwhile, OCR also is emphasizing HIPAA enforcement.  In February, 2009, OCR announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges.  This announcement followed OCR’s announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges.  OCR also has taken HIPAA enforcement actions against a broad range of other Covered Entities. See more details hereWhile not resulting in the significant payments involved in CVS or Providence, all Covered Entities involved in these and other enforcement actions or investigations have incurred significant legal and other defense costs, loss of community trust, or both.

In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can expose Covered Entities, members of their workforce and others improperly using, accessing or disclosing protected health information to liability under other federal or state laws.  Federal and state prosecutors may and increasingly do bring criminal or civil actions against organizations or individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws .  See e.g., Cybercrime & Identity Theft: Health Information Security Beyond HIPAA; NY AG Cuomo Announcement of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year

State Civil Lawsuits

Covered Entities also need to prepare to defend HIPAA-related conduct in state civil actions.  Individual plaintiffs increasingly used alleged HIPAA violations in state privacy, negligence, retaliation, wrongful discharge or other lawsuits.  State courts have allowed private plaintiffs to use the obligations imposed by HIPAA as the basis of a Covered Entity’s duty for purposes of certain state law lawsuits.  In  Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim.  Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit. Meanwhile, disgruntled employees or other business partners performing services for  Covered Entities also increasingly are pointing to HIPAA as the basis for their retaliation or wrongful discharge claims. See, e.g.,  Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim. Read more here

Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for Covered Entities that  fail to properly manage their HIPAA compliance obligations and risks. To help guard against these exposures, Covered Entities should act quickly to strengthen their HIPAA defenses by updating policies, contracts, practices, security, training, oversight, documentation and management.

Covered Entities & Business Associates Urged To Act Promptly To Manage Mitigating Expanded HIPAA Risks & Obligations

Faced with these expanding obligations and exposures, Covered Entities should prepare for the need to defend the adequacy of their HIPAA compliance efforts on paper and in operation. As part of these efforts, Covered Entities should consider:

  • Reviewing the adequacy of the practices, policies and procedures of the Covered Entities, business associates, and others that may come into contact with protected health information within the scope of attorney-client privilege taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable;
  • Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility;
  • Renegotiating and enhancing service provider agreements to detail the specific compliance obligations of each party; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; to clarify rights of indemnification; and other related relevant matters;
  • Improving technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information;
  • Conducting well-documented training as necessary to ensure that members of the Covered Entity’s workforce understand and are prepared to comply with the expanded requirements of HIPAA, can detect potential breaches or other compliance concerns, and understand and are prepared to follow appropriate procedures for reporting and responding to suspected violations;
  • Tracking actual and near miss violations and making adjustments to policies, practices, training, safeguards and other compliance components as necessary to deter future concern
  • Establishing and providing well-documented monitoring of compliance;
  • Establishing and providing well-documented timely investigation and redress of reported violations or other compliance concerns;
  • Establishing contingency plans for responding in the event of a breach;
  • Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and  requirements;
  • Preparing and maintaining a well-documented record of compliance activities; and
  • Pursuing other appropriate strategies to enhance the Covered Entity’s ability to demonstrate its compliance commitment both on paper and in operation.

For Assistance With Compliance Or Other Concerns

The author of this article,  Ms. Stamer has extensive experience advising and assisting health care practitioners and other businesses and business leaders to establish, administer, investigate and defend health care fraud and other compliance and internal control policies and practices to reduce risk under federal and state health care and other laws. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact the author of this article, Cynthia Marcotte Stamer, CTT Health Care Practice Group Chair, at cstamer@cttlegal.com, 214.270.2402 or another Curran Tomko Tarski LLP attorney of your choice.  You can get more information about the CTT Health Care Practice  and more specifics about Ms. Stamer’s health industry experience here.

Ms. Stamer is nationally known for her work, training and presentations, and publications on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts. 

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 22 years experience advising clients, conducting workshops and other training, and providing policy advice about health care, privacy, data security, and other matters. She advises health care providers, health insurers and administrators, employer and other health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, ERISA, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters. A widely published author on privacy, data security, health care and other related matters, Ms. Stamer is the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications.  For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.  

Other Helpful Resources & Other Information

If you found these updates of interest, you also be interested in one or more of the following other recent articles:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2010 Cynthia Marcotte Stamer.  All rights reserved. 

“Health Care Government Relations and Legislative Update” Focus On July 14 North Texas Healthcare Compliance Professional Association Meeting

July 13, 2009


July 14, 2009 Meeting Reminder

Congress and federal regulators are making health care regulation and reform their latest priority.  The NTHCPA invites interested health care compliance and ethics professionals to join us on July 14, 2009 for a lively discussion about “Health Care Government Relations and Legislative Update” lead by as Sandy Pappas, from Congressman Pete Session’s Office and Cynthia Marcotte Stamer from Curran Tomko Tarski LLP.

Date:  Tuesday, July 14, 2009

Time:  2:00 p.m.

Location:  Texas Health Resources, 612 E. Lamar Blvd., Arlington, TX  76011

For additional information, please contact Cynthia Stamer at (214) 270-2402 or by e-mail at cstamer@solutionslawyer.net.

About the NTHCPA

NTHCPA exists to champion ethical practice and compliance standards and to provide the necessary resources for ethics and compliance Professionals and others in North Texas who share these principles.

The vision of NTHCPA is to be a pre-eminent compliance and ethics group promoting lasting success and integrity of organizations within North Texas.

To register or update your registration to receive notice of other upcoming events, e-mail your contact information to lfigueroa@cttlegal.com.

This communication may be considered a marketing communication for certain purposes.  If you wish to update your e-mail for purposes of or would prefer not to receive future e-mail concerning meetings or other activities of the North Texas Healthcare Compliance Professionals Association or other marketing and promotional mailings from it, please send an email with the word “unsubscribe” in its subject heading to lfigueroa@cttlegal.com

Newly Enacted FERA Amendments To False Claims Act Signal New Risks For Health Industry Organizations & Others

May 26, 2009

Health care providers and other parties covered by the False Claims Act, 31 U.S.C. § 3729 (FCA), now face expanded whistleblower and other liability under amendments to the FCA enacted under the “Fraud Enforcement and Recovery Act of 2009”(FERA).  The amendments increase the likelihood both that whistleblowers will turn in health care providers and other individuals and organizations that file false claims in violation of the FCA and the liability that violators may incur for that misconduct.

Signed into law by President Obama last Wednesday (May 20, 2009), FERA immediately upon enactment:

  • Amends the whistleblower protections afforded to employees, contractors and agents who suffer retaliation for taking lawful efforts to stop violations of the FCA and to make it easier for those individuals to pursue retaliation claims;
  • Expands liability under for making false or fraudulent claims to the federal government under the FCA;
  • Applies liability under the FCA for presenting a false or fraudulent claim for payment or approval (currently limited to such a claim presented to an officer or employee of the federal government); and
  • Requires persons who violate such Act to reimburse the federal government for the costs of a civil action to recover penalties or damages 

Concurrent with President Obama’s signature of FERA into law, the U.S. Departments of Justice (DOJ) and Health & Human Services (HHS) jointly announced the expansion of federal health care fraud enforcement efforts.  On May 20, 2009, HHS and DOJ announced their activation of a new interagency team to combat health care fraud highlights the increasing need for health care providers and health plans to review and tighten their practices for dealing with Medicare and other federal programs to survive scrutiny under federal health care fraud initiatives.  Coupled with FERA and the already significant increase in federal health care fraud detection and enforcement activities in recent years and a proposed 50 percent increase in funding for these activities included in President Obama’s Fiscal Year 2010 budget, health care providers and payers must be prepared to defend their dealing with Medicare, Medicaid and other federal health care programs.

The expanded protections afforded under FERA to whistleblowers and others suffering retaliation for opposing or reporting illegal actions can be expected to serve as a key tool in these efforts. These new retaliation safeguards are designed further increase the likelihood that employees and other insiders will help government officials ferret out false claims and other fraud. Specifically with regard to retaliatory action claims Section 4(d) of FERA amends 31 U.S.C.§ 3730(h) to provide for the recovery of “all relief necessary to make that employee, contractor, or agent whole” where that individual is discharged, demoted, suspended, threatened, harassed, or in any other manner discriminated against in the terms and conditions of employment because of lawful acts he does or takes on behalf of an individual in furtherance of other efforts to stop a violation of the FCA. 

FERA expressly provides that relief to victims of retaliation will include “reinstatement with the same seniority status that employee, contractor, or agent would have had but for the discrimination, 2 times the amount of back pay, interest on the back pay, and compensation for any special damages sustained as a result of the discrimination, including litigation costs and reasonable attorneys’ fees.” 

The FERA amendments to the FCA, the new TEAMS enforcement effort announced simultaneously with its signature into law mean that health care industry organizations and others covered by the FCA must implement appropriate fraud prevention, detection, redress and other procedures to help defend against possible FCA or other health care fraud claims and investigations.

The attorneys at Curran Tomko Tarski, LLC have extensive experience representing and advising health industry and other clients against FCA and other federal health care and fraud laws. 

For More Information

We hope that this information is useful to you. If you need assistance with auditing or defending health care fraud concerns or other health care compliance, risk management, transactions or operations concerns, please contact Curran Tomko Tarski LLP Partners Cynthia Marcotte Stamer at (214) 270-2402, CStamer@CTTLegal.com; Michael T. Tarski at (214) 270-1420 or MTarski@CTTLegal.com; Edwin J. Tomko at (214) 270-1405 or ETomko@CTTLegal.com.

You can review other recent health care and internal controls resources and additional information about the health industry and white collar experience of the Curran Tomko Tarski LLP attorneys at http://www.CTTLegal.com. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at CTTLegal.com or e-mailing this information to CStamer@CTTLegal.com.

HIPAA Complaint Basis For Texas Whistleblower Claim

April 4, 2009

In a March 19, 2009 ruling, the U.S. District Court for the Northern District of Texas recently recognized that the Texas Whistleblower Act prohibits health care organizations run by the State of Texas from retaliating against employees for making good faith complaints of violations of the Privacy Rules of the Health Insurance Portability Act (“HIPAA”).Nevertheless, the court dismissed the wrongful discharge lawsuit brought by a former Terrell State Hospital security guard who alleged he was wrongfully fired for complaining to the U.S. Department of Health and Human Services Office of Civil Rights (”OCR”) that the Hospital violated the HIPAA Privacy Rules because the plaintiff had failed to present sufficient proof that he was terminated in retaliation for filing a HIPAA complaint.


Illustrative of a growing number of state law retaliatory discharge claims brought be employees claiming to have been retaliated against for complaining about alleged violations of HIPAA’s Privacy Rules, Faulkner v. Department of State Health Servs., 2009 U.S. Dist. LEXIS 22419 (N.D. Tex. Mar. 19, 2009), involved claims made by plaintiff Anthony Faulkner (”Faulkner”) that the Texas Department of State Health Services (”DSHS”); Terrell State Hospital; Texas DSHS Commissioner David L. Lakey, M.D.; Terrell State Hospital Superintendent Fred Hale; and Terrell State Hospital Risk Management Coordinator Clent Holmes, R.N. violated the Whistleblower Act and the First and Fourteenth Amendments by firing him seven days after he complained to OCR that Terrell State Hospital violated the HIPAA Privacy Rule by leaving admissions logs containing patient names and admission dates in a public area.

The Texas Whistleblower Act generally prohibits a state or local governmental entity from terminating or taking any other adverse personnel action against a public employee who in good faith reports a violation of law by the employing governmental entity or another public employee to an appropriate law enforcement authority.See Tex. Gov’t Code § 554.002(a).While the Court affirmed that the Texas Whistleblower Act permits a public employee of the State of Texas discharged or otherwise retaliated against for complaining in good faith to OCR that his public employer or its employee violated the HIPAA Privacy Rules, the Court nevertheless granted summary judgment to the defendants.

According to the court, Faulkner’s failure to introduce evidence rebutting defendant’s affidavit that he was terminated for repeatedly violating rules requiring him to report suspected abuse of patients precluded him from proving his termination was in retaliation for his filing of the HIPAA complaint.Meanwhile, the court also ruled that Faulkner’s claims against the individual defendants should be dismissed as the Whistleblower Act only creates a cause of action against governmental entities and not their employees. Having found Faulkner’s constitutional claims also without merit, the District Court granted the defendant’s motion for summary judgment.

While the defendants were able to overcome Faulkner’s retaliatory discharge claim, the decision highlights the need for health care providers and other HIPAA covered entities to take appropriate precautions to defend against potential wrongful discharge, retaliation or other claims by employees or other service providers for complaining of possible HIPAA violations or for attempting to exercise other HIPAA-protected rights.HIPAA covered entities now should avoid engaging in actions that might unnecessarily fuel claims of retaliation.  They also should carefully document and preserve evidence necessary to demonstrate the legitimacy of their disciplinary actions on an ongoing basis.

We hope you found this information helpful. If your organization needs assistance with understanding or managing its responsibilities or liabilities under HIPAA or other health care or employment laws or wishes to inquire about HIPAA training or other services and experience of Cynthia Marcotte Stamer, please contact Ms. Stamer via e-mail at Cstamer@Solutionslawyer.net or by telephoning Ms. Stamer at 469.767.8872.You also can review other helpful resources and register to receive other updates at CynthiaStamer.com.

%d bloggers like this: