Privacy Rule Changes & Posting of Breach Notices On OCR Website Signal New Enforcement Risks For Health Plans, Their Sponsors & Business Associates

February 23, 2010

 By Cynthia Marcotte Stamer

The Department of Health and Human Services Office of Civil Rights (OCR) has begun disclosing on its website the employer and other health plans, health care providers, health care clearinghouses and their business associates (Covered Entities) that report breaches of unsecured protected health information (UPIC) affecting more than 500 individuals as required by new rules enacted as part of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This posting of Covered Entities reporting breaches comes just days after these and other Covered Entities became subject on February 17, 2010 to a host of other tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of the Health Insurance Portability & Accountability Act (HIPAA) also enacted as part of the HITECH Act. As failing to comply with the amended rules effective February 17, 2010 can trigger obligations under the Breach Regulations and other exposures, prompt action to manage risk under both the Breach Regulations and the revised HIPAA rules is critical to minimize Covered Entity and business associate exposures under both these rules. With criminal, administrative and civil prosecutions of such violations increasing and likely to expand, timely action to manage compliance and other risks is warranted. Health plans and their business associates also should prepare for increased awareness and oversight of the adequacy of their medical information safeguards as these disclosures and other enforcement actions heighten interest and awareness of employees and others in these rules.

Covered Entity Breach Notification Requirements

OCR posted the initial list of Covered Entities disclosing these breaches on its website for the first time yesterday (February 22, 2010) to comply with breach notification requirements imposed by Section 164.408 of the interim “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here

The Breach Regulation requires Covered Entities subject to the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals, OCR and certain other parties following a “breach” of “unsecured” protected health information occurring on or after September 23, 2009.  The Breach Regulation implements new breach notification requirements added to HIPAA by Section 13402(e)(3) of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). It and the posting of Covered Entities reporting breaches of protected health information are part of the ongoing implementation and enforcement of new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under provisions of the HITECH Act and expanded remedies for violations signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).

You can review the list of Covered Entities that have reported breaches on the OCR website here.  Learn more about the Breach Regulation requirements here.

Broader & Stricter Medical Privacy Mandates Effective 2/17/210

Just last Wednesday (February 17, 2010) Covered Entities and their business associates also became subject to tighter federal requirements for the use, access, protection and disclosure of protected health information under amendments to HIPAA’s Privacy & Security Standards enacted by the HITECH Act. The changes that became effective on February 17, 2010 generally require that Covered Entities and their business associates make specific changes to update their written policies, operational procedures, privacy notices, business associate agreements, training, and other management procedures in several respects. For more details, see here.

While the HITECH Act gave Covered Entities and business associates a year to complete the necessary arrangements to comply with these HITECH Act changes, many Covered Entities and business associates have remain unnecessarily exposed under these new requirements by not completing or otherwise failing to adequately implement the necessary arrangements despite expanding liability exposures that can result from noncompliance. To mitigate these exposures, Covered Entities and their business associates should act quickly to review and update their policies, procedures, training, business associate and other services agreements, and other practices and procedures, as well as to implement the training, oversight, and other management necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

Exposures Significant & Growing

Covered Entities and business associates failing to devote adequate attention and resources to  managing HIPAA compliance and associated risks risk increasing peril.  Aside from the potential implications that disclosures of violations may have on patients and others impacting their business, the legal risks of noncompliance for Covered Entities, business associates and others mishandling protected health information are real and growing.   

Timely action to comply with the amended HIPAA requirements and Breach Regulations is important both to preserve critical trust in the business, to avoid triggering breach notifications that can undermine this trust and fuel legal complaints, and to avoid exposure to an expanding range of sanctions that can result when a violation occurs. 

Amendments made under the HITECH Act have expanded the size and availability of remedies that can be imposed for HIPAA violations as well as the parties empowered to pursue these remedies.  Wrongful use, access or disclosure of protected health information in violation of HIPAA subjects participating health plans, health care providers, health care clearinghouses, their business associates and other workforce members and others to civil penalties,  criminal prosecution and, since February 17, 2009, civil lawsuits brought by state attorneys general on behalf of citizens of their states whose HIPAA rights were violated.  Since September 23, 2009, health plans and other HIPAA Covered Entities as well as their  business associates also became obligated to provide breach notification under new mandates imposed by the HITECH Act.  Coupled with increased enforcement emphasis by regulators, these expansions to HIPAA’s remedy provisions increase the risk that Covered Entities or business associates violating HIPAA face investigation and sanction.  Furthermore, the wrongful use, access or disclosure of protected health information or other confidential information also increasingly is the basis of civil or criminal actions brought under a variety of other federal and state laws.

Expanded HIPAA & Other Federal Prosecutions & Remedies

The expanded requirements imposed under the Breach Regulation and the other HITECH Act changes that took effect on February 17, 2010 follow the implementation changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, when President Obama signed the HITECH Act into law. The HITECH Act amendments to HIPAA’s remedies significantly increase the risk that health plans and other Covered Entities and their business associates will face civil lawsuits, civil or criminal penalties or other consequences for violating HIPAA. Noncompliance with these and other HIPAA requirements subjects Covered Entities and business associates to civil penalties, criminal prosecution, civil damage awards under lawsuits brought by state attorneys general, and other legal remedies.  In addition, timely update written policies, procedures, business associate agreements, training and documentation is imperative in order for Covered Entities and their business associates to fulfill their breach notification obligations under new rules enacted as part of the HITECH Act. 

HITECH Amendments Expand Liability Exposures

The expanded risks stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions.  Among other things, the HITECH Act amended HIPAA to:

  • Allow a State Attorney General to sue health plans or other Covered Entities, business associates or both that harm state citizens by committing HIPAA violations after February 16, 2009;
  • Expand the mandate by OCR to investigate violations and audit compliance with HIPAA;
  • Require Office of Civil Rights to impose civil sanctions against Covered Entities and business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
  • Revise the criminal sanctions that the Department of Justice can seek against Covered Entities, their business associates and others for violations of HIPAA; and
  • Amend HIPAA to make clear that HIPAA’s criminal sanctions also can imposed on business associates, workforce members and other persons that improperly use, access and disclose protected health information in violation of HIPAA.

State Attorney General Lawsuit Exposures

Covered Entities and their business associates now also need to be concerned about the potential that a state Attorney General may bring civil suit to remedy damages caused to state citizens by a breach of HIPAA. 

The HITECH Act empowers a state attorney general to sue Covered Entities or business associates engaging in HIPAA violations that harms citizens of the state for statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs

A HIPAA civil lawsuit filed on January 13, 2010 demonstrates the willingness of at least some states to exercise the new authority created by the HITECH Act on February 17, 2009 to sue Covered Entities and business associates that violate HIPAA for civil damages.

On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.   The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net.  The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers.

Stepped Up Federal Enforcement

Even before the HITECH Act amendments, however, OCR and Department of Justice already were stepping up HIPAA investigation and enforcement.  The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA.  See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health InformationMeanwhile, OCR also is emphasizing HIPAA enforcement.  In February, 2009, for instance, OCR announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges.  This announcement followed OCR’s announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges.  OCR also has taken HIPAA enforcement actions against a broad range of other Covered Entities to redress HIPAA violations or other compliance concerns.  To review examples of these other actions, see hereWhile not resulting in the significant payments involved in CVS or Providence, all Covered Entities involved in these and other enforcement actions or investigations have incurred significant legal and other defense costs, loss of community trust, or both.

In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can give rise to liability for health plans and other Covered Entities, business associates, employees and other members of their workforce and others improperly using, accessing or disclosing protected health information.  Federal and state prosecutions may and increasingly do criminally prosecute individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws .  See e.g., Cybercrime & Identity Theft: Health Information Security Beyond HIPAA; NY AG Cuomo Announcement of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A YearAdditionally, State courts also increasingly are permitting individuals harmed by HIPAA violations to use HIPAA as the foundation of state law duties used to maintain state negligence, invasion of privacy, retaliation or other claims for damages. Read more here

State Civil Lawsuits

Along side these governmental actions, state courts also increasingly are willing to allow individual plaintiffs to rely on violations of HIPAA as the basis for bringing state privacy, retaliation or other actions.  While prior to the recent HITECH Act amendments, federal courts had ruled that private plaintiffs could not sue under HIPAA for damages they incurred from a Covered Entity’s violation of HIPAA, state courts have allowed private plaintiffs to use the obligations imposed by HIPAA as the basis of a Covered Entity’s duty for purposes of certain state law lawsuits.  In  Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim.  Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit.

Meanwhile, disgruntled employees or other business partners also increasingly raise alleged HIPAA misconduct as a basis of their legal complaints.  For instance, private plaintiffs employed by Covered Entities also are increasingly pointing to HIPAA as the basis for their retaliation or wrongful discharge claims. See, e.g.,  Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim.  Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for Covered Entities and their business associates that  fail to properly manage their HIPAA compliance obligations and risks.

Given these and other developments, Covered Entities and their business associates generally should resist the temptation to underestimate their potential HIPAA exposure for a variety of reasons.  In fact, a number of factors demonstrate that the risks are significant and growing for Covered Entities, business associates and others that breach HIPAA’s mandates or otherwise inappropriately access protected health information. 

Covered Entities & Business Associates Urged To Act Promptly To Manage Expanded HIPAA Risks & Obligations

As a consequence of these collective HITECH Act changes and growing HIPAA-related and other exposures, Covered Entities, their business associates and business associates generally will find it necessary or advisable among other things to:

  • Conduct well-documented due diligence within the scope of attorney-client privilege on their own practices and procedures;
  • Review the adequacy of the practices, policies and procedures of the Covered Entities, business associates, and others that may come into contact with protected health information;;
  • Renegotiate their service provider agreements to detail the specific compliance obligations of each party relating to for auditing compliance, investigating potential breaches; providing required breach notifications; specify leadership and required cooperation in the event of a breach, charge, or other concern; indemnification and other liability allocations; and other related matters;
  • Update policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility;
  • Conduct well-documented training as necessary to ensure that business associates and other members of the Covered Entity’s workforce understand and are prepared to comply with the expanded requirements of HIPAA, can detect potential breaches or other compliance concerns, and understand and are prepared to follow appropriate procedures for reported suspected violations; and
  • Pursue appropriate liability and other protection as appropriate to improve their ability to demonstrate both their commitment to compliance and their realistic efforts to ensure that these commitments are both appropriately documented on paper and operationalized in performance.

As part of these compliance and risk management efforts, most Covered Entities and their business associates will find it advisable to devote significant attention to the business associate relationship and its associated business associate agreements. Proper management of the expanded compliance obligations and liability exposures created by the HITECH Act generally will necessitate that Covered Entities and their business associates focus significant attention on the reworking of their operating and contractual relationships including the definition of detailed procedures for monitoring, reporting, investigating, and resolving potential breaches or other compliance concerns.

Even before the impending HIPAA changes scheduled to take effect on February 17, 2010, a strong need for more detailed contracting and planning of these relationships already existed. Since the enactment of HIPAA, the practice of many Covered Entities and their business associates of appending generic “business associate” representations onto existing services contracts without specific tailoring and planning has created undesirable ambiguities in these agreements. Further updating and tailoring of these and other provisions of services agreements has become even more important over the past year in light of the new breach notification mandates that took effect under the HITECH Act in September, 2009, changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, and the impending extension by the HITECH Act to business associates of direct liability for compliance with HIPAA scheduled to occur on February 17, 2010.

These and other stepped up oversight and enforcement activities make it critical that all Covered Entities and their business associates update their policies and practices, conduct training, tighten their compliance and data breach monitoring processes, strengthen their internal controls and documentation, and take other steps to prepare to defend their actions under the newly strengthened Privacy Rules.  Covered Entities and their business associates more than ever must ensure their ability to demonstrate to federal regulators the effectiveness of their HIPAA compliance efforts by both adopting the written policies and procedures required by HIPAA and continuously monitoring and administering these safeguards.  Covered Entities should consider reviewing the adequacy of their current HIPAA Privacy and Security compliance practices taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

For Assistance With Compliance Or Other Concerns

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting the author of this article, Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer at (214) 270-2402 or via e-mail  here

Ms. Stamer is nationally known for her work, training and presentations, and publications on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts. 

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 22 years experience advising clients about health and other privacy and security matters.  A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters.  Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications.  For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.  

Other Recent Developments

If you found this information of interest, you also may be interested in information about upcoming programs to be presented by Ms. Stamer, acquiring a copy of a recording or materials from previous programs she has presented, or arranging training for your organization.  For more information about these opportunities, contact Ms. Stamer directly.

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

Curran Tomko Tarski LLP Can Help

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.

A widely published author and speaker on HIPAA and other employee benefit and human resources related matters, Ms. Stamer has extensive experience advising health plans, their employer and other sponsors, health insurers, TPAs and other business associates and others about HIPAA and other health plan and privacy matters. Currently serving as both Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and as an ABA Joint Committee on Employee Benefits Council representative and Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer has more than 23 years experience assisting employers, insurers, plan administrators and fiduciaries and others to design, implement, draft and administer health and other employee benefit plans and to defend audits, litigation or other disputes by private parties, the IRS, Department of Labor, Office of Civil Rights, Medicare, state insurance regulators and other federal and state regulators. A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Examples of other recent updates that may be of interest include:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

 

©2010 Cynthia Marcotte Stamer. All rights reserved.


Stamer To Present “2010 Health Plan Checkup” At Annual DFW ISCEBS Employee Benefits Fundamentals Workshop

February 22, 2010

 

Cynthia Marcotte Stamer will discuss the latest changes and requirements affecting employer sponsored group health plans, their sponsors, fiduciaries, insurers and vendors during her presentation titled “2010 Health Plan Checkup” at the Dallas/Fort Worth ISCEBS Annual Fundamentals Workshop currently scheduled for May 13, 2010 in Dallas. 

With Congress and federal regulators turning up the heat on health care, keeping up to date with the latest developments is both critical and increasingly challenging for employers, their employee benefits and human resources staff, and the fiduciaries, insurers, administrators and others dealing with health plan design and administration. Coming as U.S. employers continue to struggle to provide health benefits in the face of skyrocketing health benefit costs, tighter health plan medical privacy, nondiscrimination, mental health and other benefit mandates, and a host of other tighter new federal regulations impacting employment-based health plans and their sponsoring businesses, fiduciaries and administrators increasingly are forcing U.S. business leaders to make appropriate health plan cost and compliance management a key management priority. Ms. Stamer will discuss key developments, highlight new developments on the horizon, and provide tips to participants for monitoring and responding to these and other developments.  To register or for additional information, contact the Dallas/Fort Worth ISCEBS here.

Nationally recognized for her more than 22 years of work on managed care and other health and other employee benefits, human resources, insurance, and health care matters, Ms. Stamer assists employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend managed care and other medical benefit programs and practices. She also regularly advises and assists these and other clients to monitor and respond to evolving legislation, regulations, enforcement activities by federal and state regulators, evolving product and market changes, and private litigation and other disputes.  Past Chair of the American Bar Association (ABA) Health Law Section Managed Care & Insurance Interest Group and the Current Chair of the ABA RPTE Employee Benefits & Compensation Committee, an ABA Joint Committee on Employee Benefits Council member, Chair of the Curran Tomko Tarski Labor, Employment & Employee Benefits Practice and Board Certified in Labor & Employment Law, Ms. Stamer also is a widely published author and highly regarded speaker on these and other employee benefit and human resources matters.  Some other recent updates on these topics recently published by Ms. Stamer include :

For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

If you need assistance with these or other compliance concerns, wish to inquire about federal or state regulatory compliance audits, risk management or training, assistance investigating or responding to a known or suspected compliance or risk management concern, or need legal representation on other matters please contact the author of this update, Cynthia Marcotte Stamer, CTT Labor & Employment Practice Chair at cstamer@cttlegal.com, 214.270.2402; or your other preferred Curran Tomko Tarski LLP attorney.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here and learn more about  other Curran Tomko Tarski LLP attorneys here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information to Cstamer@CTTLegal.com or registering to participate in the distribution of these and other updates on our Solutions Law Press distributions here. For important information concerning this communication click here.    If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2010 Cynthia Marcotte Stamer. All rights reserved.


SouthWest Benefits e-Connections Highlights Stamer Article About Importance For Health Plans, Their Sponsors & Business Associates To Update HIPAA Policies, Practices & Agreements

February 22, 2010

Cynthia Marcotte Stamer’s article Health Plans & Business Associates Face 2/17 Deadline To Comply With HIPAA Privacy Rule Changes is featured in the Winter, 2010 edition of the SouthWest Benefits Association e-Connection.  The article originally published in the Solutions Law Press HR & Benefit Update highlights the need for health plans, employer and other plan sponsors, administrators, and health insurers as well as the brokers, advisors, and other service providers performing functions on behalf of these entities to update their plans, policies, vendor agreements, practices, privacy notices and other communications and other materials, conduct training and take other steps in response to tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Founded in 1975, SouthWest Benefits is a regional, non-profit association designed to foster relationships and support the educational growth of professionals in employee benefits through an annual schedule of professional educational conferences and workshops. As part of these activities, the SWBA is scheduled to host its 35th Annual Conference on May 12th-14th at the Westin Riverwalk in San Antonio.  For information about these and other SWBA, see here.

A former Southwest Benefits Association board member who remains active in the organization, Ms. Stamer is a board certified labor and employment attorney recognized, internationally, nationally and locally for her more than 22 years of work, advocacy, education and publications on employee benefit and related matters.  As a core focus of her role as the Chair of the Curran Tomko Tarski Labor, Employment & Employee Benefits Practice, Ms. Stamer continuously advises and assists employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources programs and practices. Chair of the American Bar Association (ABA) RPTE Employee Benefits & Compensation Committee, an ABA Joint Committee on Employee Benefits Council member, Ms. Stamer also is a widely published author and highly regarded speaker on these and other employee benefit and human resources matters who is active in many other employee benefits, human resources and other management focused organizations  For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

If you need assistance with these or other compliance concerns, wish to inquire about federal or state regulatory compliance audits, risk management or training, assistance investigating or responding to a known or suspected compliance or risk management concern, or need legal representation on other matters please contact the author of this update, Cynthia Marcotte Stamer, CTT Labor & Employment Practice Chair at cstamer@cttlegal.com, 214.270.2402; or your other preferred Curran Tomko Tarski LLP attorney.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here and learn more about other Curran Tomko Tarski LLP attorneys here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information to Cstamer@CTTLegal.com or registering to participate in the distribution of these and other updates on our Solutions Law Press distributions here. For important information concerning this communication click here.    If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2010 Cynthia Marcotte Stamer. All rights reserved.


Health Plan Liability Heats Up As Plans & Businesses Face New Obligations, Costs & Exposures under New HIPAA Privacy Rules Effective 2/17 & Other Expanding Federal Health Plan Mandates

February 17, 2010

Today (February 17, 2010), employer and other health plans and health insurers (“covered entities”) and service providers performing functions on behalf of these entities (“business associates”) must begin complying with tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of the Health Insurance Portability & Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Coming as U.S. employers continue to struggle to provide health benefits in the face of skyrocketing health benefit costs, these and other new federal regulations impacting employment-based health plans and their sponsoring businesses, fiduciaries and administrators are forcing U.S. business leaders to make appropriate health plan cost and compliance management a key management priority.

2/17/10 & Other HIPAA Privacy Rule Changes Require Prompt Attention

The HIPAA Privacy Rule changes scheduled to take effect February 17, 2010 are likely to require that health plans and their business associates update their written policies, operational procedures, privacy notices and business associate agreements in several respects.

While the HITECH Act gave covered entities and business associates a year to complete the necessary arrangements to comply with these impending HITECH Act changes, many health plans and business associates have not completed the necessary arrangements despite expanding liability exposures that can result from noncompliance. To mitigate these exposures, covered entities and their business associates should act quickly both to update their services agreements, plans and policies, practices, and procedures, and to implement the training, oversight, and other management procedures necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

The risks of noncompliance for health plans, business associates and others mishandling protected health information are real and growing. Wrongful use, access or disclosure of protected health information in violation of HIPAA subjects participating health plans, health care providers, health care clearinghouses, their business associates and other workforce members and others to civil penalties,  criminal prosecution and, since February 17, 2009, civil lawsuits brought by state attorneys general on behalf of citizens of their states whose HIPAA rights were violated.  Since September 23, 2009, health plans and other HIPAA covered entities as well as their  business associates also became obligated to provide breach notification under new mandates imposed by the HITECH Act. 

In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can give rise to liability for health plans and other covered entities, business associates, employees and other members of their workforce and others improperly using, accessing or disclosing protected health information.  Federal and state prosecutions may and increasingly do criminally prosecute individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws .  See e.g., Cybercrime & Identity Theft:Health Information Security Beyond HIPAA; NY AG Cuomo Annoucment of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year.  Additionally, State courts also increasingly are permitting individuals harmed by HIPAA violations to use HIPAA as the foundation of state law duties used to maintain state negligence, invasion of privacy, retaliation or other claims for damages. Read more here

To manage these and other HIPAA-related risks, sponsoring employers, fiduciaries, administrators, insurers and their vendors should begin with carefully and timely reviewing and updating existing plan documents, vendor agreements, privacy notices and other communications and associated practices and policies.  The focus of these efforts definitely should seek both to adopt the specific technical changes necessary to make the health plans and their contracts technically comply on paper with these and other HIPAA mandates, and to tailor these documents, communications and practices promote operational compliance and minimize exposure to associated risks.  In relation to these efforts, sponsoring employers, insurers, fiduciaries and administrators also should ensure that required certifications from employers and other plan sponsors, representations from business associates, training and other compliance conditions are properly in place.  In this respect, employers sponsoring health plans should not overlook the potential need to adopt appropriate policies and implement needed training and safeguards to enable the health plan and the employer demonstrate, if necessary that HIPAA’s requirements for sharing protected health information with members of the employer’s workforce for plan administration, underwriting or certain other purposes have been satisfied.

Other Health Plan Updates Also Required

The HIPAA Privacy Rule changes effective today are only part of the ever-growing list of federal mandates that group health plan sponsors, fiduciaries, insurers, administrators and service providers need to be concerned about.  In addition to the new HIPAA Privacy Rule requirements taking effect today, health plans, their sponsors, administrators, fiduciaries, insurers, business associates and other service providers face a host of other new federal health plan and privacy mandates that have taken effect over the past year, and will become subject to additional mandates in upcoming months.  Consequently, while focusing on HIPAA compliance, health plans, their employer or other sponsors, insurers, fiduciaries, administrators and service providers also should not overlook the need to review and update their health plans in response to a host of other changes in federal health plan mandates.

In addition to otherwise applicable civil damage awards and civil penalty exposures that can result from violations of these requirements, new Internal Revenue Service regulations that took effect January 1, 2010 also require that employers, health plans or others self-report violations of certain of these requirements and self assess and pay resulting excise taxes arising under the Internal Revenue Code.  See, e.g., COBRA, HIPAA, GINA, Mental Health Parity or Other Group Health Plan Rule Violations Trigger New Excise Tax Self-Assessment & Reporting Obligations

The highly volatile health plan regulatory environment makes it likely that many health plans are not appropriately updated to comply with these and other federal requirements. In recent months, health plans, their employer or other sponsors, administrators and others also have become obligated to comply with a host of other expanded federal health plan rules and requirements. See e.g., New Mental Health Parity Regulations Require Health Plan Review & Updates; New Labor Department Rule Allows Employers 7 Days To Deliver Employee Contributions To Employee Benefit Plans; Newly Extended COBRA Subsidy Rules Require Employers, Administrators Send Required Notices & Update Health Plan Documents & Procedures Quickly;  Employer & Other Health Plans & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 23.

These and other developments make it imperative that health plans, their employer or other  sponsors, administrators, insurers, fiduciaries and service providers get serious about complying with these and other federal health plan mandates and managing health plan related liabilities and costs. Sponsors, insurers, fiduciaries and administrators should ensure that health plan documents, insurance and other vendor contracts, policies, procedures and communications are timely updated to comply with these and other emerging mandates.  When implementing these updates, parties concerned about costs or liabilities also should exercise care to ensure that plan documents, communications, contracts, administrative forms and procedures are optimally designed and drafted not only to be technically compliant, but also to support the enforceability of plan design and cost expectations, minimize administrative and other avoidable costs, and minimize liability exposures.  In furtherance of these efforts, employer and other plan sponsors also should consider tightening their practices and requirements for credentialing, selection, oversight and contracting with administrators and vendors, and take other prudent steps to manage health plan related risks.

Curran Tomko Tarski LLP Can Help

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.

A widely published author and speaker on HIPAA and other employee benefit and human resources related matters, Ms. Stamer has extensive experience advising health plans, their employer and other sponsors, health insurers, TPAs and other business associates and others about HIPAA and other health plan and privacy matters. Currently serving as both Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and as an ABA Joint Committee on Employee Benefits Council representative and Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer has more than 23 years experience assisting employers, insurers, plan administrators and fiduciaries and others to design, implement, draft and administer health and other employee benefit plans and to defend audits, litigation or other disputes by private parties, the IRS, Department of Labor, Office of Civil Rights, Medicare, state insurance regulators and other federal and state regulators. A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Examples of other recent updates that may be of interest include:

For important information concerning this communication click here.   

 ©2010 Cynthia Marcotte Stamer. All rights reserved.


Employers, Group Health Plans Subject To New CHIP/Medicaid Notice, Coordination of Benefits & Special Enrollment Requirements

February 16, 2010

By Cynthia Marcotte Stamer

On February 14, 2010, the U.S. Department of Labor (DOL) issued a model notice (CHIP Notice) for employers and unions sponsoring health plans in states offering Medicaid or Children’s Health Insurance Program (CHIP) participants group health plan premium subsidy assistance to inform employees of Medicaid and CHIP premium subsidy opportunities available in their state of residence.  The duty to provide notice is part of various new obligations imposed on group health plans and employers under the Children’s Health Insurance Program Reauthorization Act of 2009 (CHIPRA).

Covered health plans and health insurers, their sponsoring employers and unions, fiduciaries, administrations and other contracted service providers should take steps to update their employee benefit plan enrollment and coordination provisions, communications, processes and procedures to comply with these new requirements including, where applicable and permitted, specific policies and procedures defining when and how premium subsidies may be paid to the group health plan.  Continue reading.

Other Changing Health Plan Requirements Also Merit Attention

Employer and other group health plans sponsors, insurers, fiduciaries, administrators and service providers should timely update their group health plan terms, practices, notices, policies and procedures in response to these new requirements.  At the same time, health plans, their employer or other sponsors, insurers, fiduciaries, administrators and service providers also should not overlook the need to review and update their health plans in response to a host of other changes in federal health plan mandates. The highly volatile health plan regulatory environment makes it likely that many health plans are not appropriately updated to comply with these and other federal requirements. In recent months, health plans, their employer or other sponsors, administrators and others also have become obligated to comply with a host of other expanded federal health plan rules and requirements. See e.g., New Mental Health Parity Regulations Require Health Plan Review & Updates; New Labor Department Rule Allows Employers 7 Days To Deliver Employee Contributions To Employee Benefit Plans; Newly Extended COBRA Subsidy Rules Require Employers, Administrators Send Required Notices & Update Health Plan Documents & Procedures Quickly;  Employer & Other Health Plans & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 23; COBRA, HIPAA, GINA, Mental Health Parity or Other Group Health Plan Rule Violations Trigger New Excise Tax Self-Assessment & Reporting ObligationsThese and other developments make it imperative that health plans, their sponsors, administrators, insurers, fiduciaries and service providers get serious about complying with HIPAA.

Curran Tomko Tarski LLP Can Help

If your organization need advice or assistance in reviewing, updating, administering or defending its health plan, HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.

A widely published author and speaker on HIPAA and other employee benefit and human resources related matters, Ms. Stamer has extensive experience advising health plans, their employer and other sponsors, health insurers, TPAs and other business associates and others about HIPAA and other health plan and privacy matters. Currently serving as both Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and as an ABA Joint Committee on Employee Benefits Council representative and Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer has more than 23 years experience assisting employers, insurers, plan administrators and fiduciaries and others to design, implement, draft and administer health and other employee benefit plans and to defend audits, litigation or other disputes by private parties, the IRS, Department of Labor, Office of Civil Rights, Medicare, state insurance regulators and other federal and state regulators. A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Examples of other recent updates that may be of interest include:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2010 Cynthia Marcotte Stamer. All rights reserved.


Health Plans & Business Associates Face 2/17 Deadline To Update Policies, Contracts & Procedures For HIPAA Privacy Rule Changes

February 15, 2010

Connecticut AG Lawsuit Highlights Expanding Civil Damage Exposure Risks Of Noncompliance 

By Cynthia Marcotte Stamer

By Wednesday, February 17, 2010, employer and other health plans and health insurers (“covered entities”) and service providers performing functions on behalf of these entities (“business associates”) must begin complying  with tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of the Health Insurance Portability & Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The changes scheduled to take effect February 17, 2010 are likely to require that health plans and their business associates update their written policies, operational procedures, privacy notices and business associate agreements in several respects.

While the HITECH Act gave covered entities and business associates a year to complete the necessary arrangements to comply with these impending HITECH Act changes, many health plans and business associates have not completed the necessary arrangements despite expanding liability exposures that can result from noncompliance. To mitigate these exposures, covered entities and their business associates should act quickly both to update their services agreements, plans and policies, practices, and procedures, and to implement the training, oversight, and other management procedures necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

2/17/10 Deadline To Comply With HITECH Act HIPAA Amendments

On February 17, 2010, health plans and other covered entities and their business associates will become subject to the latest to take effect in a series of amendments to the HIPAA enacted under the HITEC Act.  The new rules are part of a broader series of changes to HIPAA made by the HITECH Act that collectively both significantly expand the obligations of covered entities and their business associates to regarding the use, protection and disclosure of protected health information and the liability exposures that can result when covered entities or business associates violate these requirements.

The changes scheduled to take effect February 17, 2010 are likely to require that health plans and their business associates update their written policies, operational procedures, privacy notices and business associate agreements in several respects. For instance, effective February 17, 2010, the HITECH Act generally requires that covered entities and their business associates revise their written privacy policies, privacy notices and operating procedures:

  • To meet expanded requirements to honor individual’s requests for special restrictions on uses and disclosures of protected health information to health plans for payment purposes
  • To restrict protected health information disclosures to the minimum necessary required to accomplish otherwise allowable purpose;
  • To comply with new rules that require that the covered entity and its business associates treat any use, access or disclosure of any protected health information made for purposes of making communications about products or services as made for marketing, rather than operational, purposes which are prohibited by HIPAA except where HIPAA’s requirements are met;
  • To comply with new restrictions on certain fundraising communications made for operational purposes including expanded obligations to allow recipients to opt out of further fundraising communications;
  • To prohibit covered entities or business associates from selling protected health information without meeting the amended requirements of HIPAA that a valid HIPAA authorization from the subject of the information and specific reassurances from the purchaser concerning its subsequent use of the protected health information except as otherwise permitted by HIPAA;
  • To take into account these tightened restrictions on the use, access or disclosure of protected health information for purposes of complying with new HITECH Act breach notification requirements that took effect in September, 2009, which apply when a covered entity or its business associate knows or should know a breach of “unsecured protected health information” has occurred and for purposes of making the necessary changes in written policies and business associate agreements, training and operational procedures necessary to comply with these rules;
  • To directly require business associates comply with HIPAA’s requirements in the same manner as other covered entities and make it necessary or advisable that that service provider agreements between health plans and business associates be updated to reflect these and other changes to HIPAA; and
  • To implement the necessary written policy changes, notification updates, business associate agreement amendments, training, management oversight and other procedural changes necessary to demonstrate fulfillment with these requirements.

Noncompliance with these and other HIPAA requirements subjects covered entities and business associates to civil penalties, criminal prosecution, civil damage awards under lawsuits brought by state attorneys general, and other legal remedies.  In addition, timely update written policies, procedures, business associate agreements, training and documentation is imperative in order for covered entities and their business associates to fulfill their breach notification obligations under new rules enacted as part of the HITECH Act. 

Under the HITECH Act, health plans and other covered entities and their business associates have been obligated since September 23, 2009 to notify individuals who are the subject of protected health information, the Department of Health & Human Services and in some cases the media if and when a breach of “unsecured protected health information occurs. Failing to timely update written policies, procedures and training increases the likelihood that health plans, other covered entities or business associates will be obligated to provide breach notifications under these new rules, in addition to their otherwise applicable exposures under HIPAA.

HIPAA Enforcement & Liability Exposures Real and Rising

Health plans and other covered entities, their business associates and others involved in health plan design and operations generally should resist the temptation to underestimate their potential HIPAA exposure based on the limited enforcement of HIPAA by the Office of Civil Rights between 2003 and 2009 for a variety of reasons.

First, the changes taking effect on February 17, 2010 follow the implementation changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, when President Obama signed the HITECH Act into law and the new breach notification requirements added by the HITECH Act that took effect on September 23, 2009. The HITECH Act amendments to HIPAA’s remedies significantly increase the risk that health plans and other covered entities and their business associates will face civil lawsuits, civil or criminal penalties or other consequences for violating HIPAA. 

The expanded risks stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions.  Among other things, the HITECH Act amended HIPAA to:

  • Allow a State Attorney General to sue health plans or other covered entities, business associates or both that harm state citizens by committing HIPAA violations after February 16, 2009;
  • Expand the mandate by the Office of Civil Rights to investigate violations and audit compliance with HIPAA;
  • Require Office of Civil Rights to impose civil sanctions against health plans and other covered entities and their business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
  • Revise the criminal sanctions that the Department of Justice can seek against health plans and other covered entities, their business associates and others for violations of HIPAA;
  • Amend HIPAA to make clear that HIPAA’s criminal sanctions also can imposed on business associates, workforce members and other persons that improperly use, access and disclose protected health information in violation of HIPAA.

A HIPAA civil lawsuit filed on January 13, 2010 demonstrates the willingness of at least some states to exercise the new authority created by the HITECH Act on February 17, 2009 to sue covered entities and business associates that violate HIPAA for civil damages.

The HITECH Act empowers a state attorney general to sue covered entities or business associates engaging in HIPAA violations that harms citizens of the state for statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs

On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.   The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net.  The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers.

Even before the HITECH Act amendments, however, the Office of Civil Rights and Department of Justice already were stepping up HIPAA investigation and enforcement.  The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA.  See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health InformationMeanwhile, the Office of Civil Rights in February, 2009 announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges.  This announcement followed the Office of Civil Rights announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges.  While not resulting in the significant payments involved in CVS or Providence, the Office of Civil Rights also taken HIPAA enforcement actions against a broad range of other covered entities to redress HIPAA violations or other compliance concerns.  To review examples of these other actions, see here

Along side these governmental actions, state courts also increasingly are willing to allow individual plaintiffs to rely on violations of HIPAA as the basis for bringing state privacy, retaliation or other actions.  While prior to the recent HITECH Act amendments, federal courts had ruled that private plaintiffs could not sue under HIPAA for damages they incurred from a covered entity’s violation of HIPAA, state courts have allowed private plaintiff’s to use the obligations imposed by HIPAA as the basis of a covered entity’s duty for purposes of certain state law lawsuits.  In  Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim.  Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit.  Meanwhile, private plaintiffs employed by covered entities also are increasingly pointing to HIPAA as the basis for their retaliation claims. See, e.g.,  Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim.  Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for covered entities and their business associates that  fail to properly manage their HIPAA compliance obligations and risks.

Health Plans & Business Associates Should Take Timely Action To Comply & Manage Risks

As a consequence of these collective HITECH Act changes and growing HIPAA-related exposures, both health plans and business associates generally will find it necessary or advisable among other things to:

  • Conduct well-documented due diligence on each other’s practices and procedures to improve their ability to demonstrate both their commitment to compliance and their realistic efforts to ensure that these commitments are operationalized in performance;
  • Renegotiate their service provider agreements to detail the specific compliance obligations of each party relating to for auditing compliance, investigating potential breaches; providing required breach notifications; specify leadership and required cooperation in the event of a breach, charge, or other concern; indemnification and other liability allocations; and other related matters; and
  • Pursue appropriate liability and other protection as appropriate.

As part of these compliance and risk management efforts, most covered entities and their business associates will find it advisable to devote significant attention to the business associate relationship and its associated business associate agreements. 

Proper management of the expanded compliance obligations and liability exposures created by the HITECH Act generally will necessitate that health plans and other covered entities and their business associates focus significant attention on the reworking of their operating and contractual relationships. 

Even before the impending HIPAA changes scheduled to take effect on February 17, 2010, a strong need for more detailed contracting and planning of these relationships already existed. Since the enactment of HIPAA, the practice of many covered entities and their business associates of appending generic “business associate” representations onto existing services contracts without specific tailoring and planning has created undesirable ambiguities in these agreements.

Further updating and tailoring of these and other provisions of services agreements has become even more important over the past year in light of the new breach notification mandates that took effect under the HITECH Act in September, 2009, changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, and the impending extension by the HITECH Act to business associates of direct liability for compliance with HIPAA scheduled to occur on February 17, 2010.

Given these changes and the associated obligations and risks, both health plans and other covered entities and their business associates generally should act quickly to manage their own compliance and to minimize exposures that may result from the other’s compliance deficiencies.  As part of these efforts, both covered entities and their business associates generally should review and tighten business associate and other service agreement provisions to provide for more specific and comprehensive HIPAA-related contractual assurances, as well as improved cooperation, coordination, management and oversight.

Curran Tomko Tarski LLP Can Help

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.

A widely published author and speaker on HIPAA and other related matter, Ms. Stamer has extensive experience advising health plans, their employer and other sponsors, health insurers, TPAs and other business associates and others about HIPAA and other health plan and privacy matters. Currently serving as both Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and as an ABA Joint Committee on Employee Benefits Council representative and Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer has more than 23 years experience assisting employers, insurers, plan administrators and fiduciaries and others to design, implement, draft and administer health and other employee benefit plans and to defend audits, litigation or other disputes by private parties, the IRS, Department of Labor, Office of Civil Rights, Medicare, state insurance regulators and other federal and state regulators.  As part of this work, she regularly assists clients to review and update policies, practices, contracts, notices and procedures to comply with HIPAA and other requirements.  A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Examples of other recent updates that may be of interest include:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

 ©2010 Cynthia Marcotte Stamer. All rights reserved.


St. Louis Employer’s OSHA Violations Trigger Contempt Order and Penalties

February 11, 2010

 By Cynthia Marcotte Stamer

 The U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) has issued contempt of court orders against Brian Andre, former owner of Andre Tuckpointing and Brickwork (AT&B), Andre Stone and Mason Work Inc. (AS&MW) and Regina Shaw, owner of AS&MW. Now the employers must pay more than $258,000 in fines and comply with other sanctions.

Under the Occupational Safety and Health Act of 1970, employers are responsible for providing safe and healthful workplaces for their employees.  OHSA enforces these requirements.

The U.S. Court of Appeals for the Eighth Circuit issued the contempt orders against the St. Louis-area company and individuals for failing to comply with court orders enforcing citations of the Occupational Safety and Health Review Commission (OSHRC).

The contempt citations stem from numerous citations OSHA issued to AT&B and its successor, AS&MW, for willful, repeat and serious violations related to fall hazards, scaffolding erection deficiencies, power tool guarding and other hazards in connection with multiple projects in the St. Louis area.  When the companies failed to comply with a court’s order enforcing OSHRC’s final order, the Labor Department sought and was granted the contempt orders by the Court. Based on determinations and recommendations of a Special Master to the Court of Appeals, the 8th Circuit Court of Appeals found all three parties in contempt, and imposed sanctions. Under the order, Brian Andre, AS&MW and Regina Shaw must pay outstanding monetary penalties, which continue to accrue interest, and other miscellaneous fees, in the current amount of $258,582.08.  AS&MW and Regina Shaw also must pay a $100 daily penalty, calculated from the time of default, in early 2008, on the OSHRC final order.   AS&MW must provide OSHA weekly notification of all current jobs, and known future jobs, at least 72 hours prior to commencement of work for a period of three years. Meanwhile, AS&MW must provide “competent person” training to all people currently and subsequently designated as jobsite “competent persons,” prior to beginning any work, and provide the secretary records of such training.

If your organization needs assistance with employment, employee benefit, workplace health and safety, corporate ethics and compliance practices, concerns or claims, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer.  Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer has more than 22 years experience advising and assisting employers and others about these and other workforce management and compliance matters.  She also advises, assists, trains, audits and defends employers and others regarding the federal and state Sentencing Guideline and other compliance, equal employment opportunity, privacy, leave, compensation, workplace safety, wage and hour, workforce reengineering, and other labor and employment and defends related audits, investigations and litigation, charges, audits, claims and investigations by the ICE, IRS, Department of Labor and other federal and state regulators. Ms. Stamer also speaks, writes and conducts training extensively on these and other related matters. For additional information about Ms. Stamer and her experience, see here or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Some other recent updates that may be of interested include the following, which you can access by clicking on the article title:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2010 Cynthia Marcotte Stamer. All rights reserved. 

 


Labor Department Final H-2A Certification Procedures Tighten Requirements For Employment Of Temporary Agricultural Employment Of Workers

February 11, 2010

By Cynthia Marcotte Stamer

The Labor Department is tightening requirements for the employment of temporary agricultural workers under the H-2A temporary agricultural worker program.  Final Labor Department Regulations governing the labor certification process and enforcement mechanisms for the H-2A temporary agricultural worker program will be published in tomorrow’s federal register. The rule will be effective March 15, 2010.

Among other things, the final rule includes stronger mechanisms for enforcement of the worker protection provisions required by the H-2A program by the Labor Department. It also contains provisions designed to ensure U.S. workers in the same occupation working for the same employer, regardless of date of hire, receive no less than the same wage as foreign workers.  It creates a national electronic job registry where job orders will be posted through 50 percent of the contract period.  It also prohibits cost-shifting from the employer to the worker for recruitment fees, visa fees, border crossing fees and other U.S. government mandated fees.

The H-2A nonimmigrant visa classification applies to foreign workers coming to or already in the U.S. to perform agricultural work of a temporary or seasonal nature. The U.S. Department of Homeland Security may not approve an H-2A visa petition unless the Department of Labor, through its Employment and Training Administration, certifies that there are not sufficient U.S. workers qualified and available to perform the labor involved in the petition and that the employment of the foreign worker will not have an adverse effect on the wages and working conditions of similarly employed U.S. workers.

During fiscal year 2009, employers filed 8,150 labor certification applications requesting 103,955 H-2A workers for temporary agricultural work. The Department of Labor certified 94 percent of the applications submitted for a total of 86,014 workers.

To view a fact sheet and more information about the benefits of the new H2A Rule, see here.

For Assistance

If you would like to request a copy of the regulation or have questions about or need assistance evaluating, commenting on or responding to I-9 or other employment related immigration, employment, employee benefit, workplace health and safety, corporate ethics and compliance practices, concerns or claims, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer.  Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group, and a Council Member on the ABA Joint Committee on Employee Benefits, Ms. Stamer has more than 22 years experience advising and assisting employers, employee benefit plans and their fiduciaries, and others about these and other workforce management and compliance matters.  Her work includes extensive experience advising and defending employers and others in relation to I-9, employment discrimination and other workforce hiring and management concerns domestically and internationally.  She also advises, assists, trains, audits and defends employers and others regarding the federal and state Sentencing Guideline and other compliance, equal employment opportunity, privacy, leave, compensation, workplace safety, wage and hour, workforce reengineering, and other labor and employment and defends related audits, investigations and litigation, charges, audits, claims and investigations by the ICE, IRS, Department of Labor and other federal and state regulators. Ms. Stamer also speaks, writes and conducts training extensively on these and other related matters. For additional information about Ms. Stamer and her experience, see here or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Some other recent updates that may be of interested include the following, which you can access by clicking on the article title:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2010 Cynthia Marcotte Stamer. All rights reserved. 


COBRA, HIPAA, GINA, Mental Health Parity or Other Group Health Plan Rule Violations Trigger New Excise Tax Self-Assessment & Reporting Obligations

February 10, 2010

By Cynthia Marcotte Stamer 

New Internal Revenue Service group health plan excise tax regulations that took effect January 1, 2010 now require that group health plans, their employers or other sponsors or others administering group health plans file an excise tax return self-reporting  violations of the medical coverage continuation requirements of the Consolidated Omnibus Budget Reconciliation Act (COBRA); the non-discrimination, special enrollment and creditable coverage requirements of the Health Insurance Portability & Accountability Act (HIPAA);  the Genetic Information Nondiscrimination Act (GINA), the Mental Health Parity and Addiction Equity Act (MHPAEA), the Newborns’ and Mothers’ Health Protection Act (NMHPA), Michelle’s Law, health savings account (HAS) comparable employer contribution rules or certain other federal group health plan mandates to file an excise tax return. The addition of the excise tax reporting requirement adds to the already significant potential costs and liabilities that group health plans, their sponsors and administrators may face for violation of these or other federal group health plan mandates under the Internal Revenue Code (Code) or other applicable laws.  As a consequence, plan sponsors, administrators and others involved in the design and administration of group health plans subject to these requirements should ensure that their plan documents, policies and procedures -including those provided through third party service providers – properly are updated and administered in compliance with the applicable federal requirement and that proper steps are taken to timely correct any noncompliance issues that may arise in connection with the ongoing administration of their programs.

Numerous Changes In Law Enhance The Risk Plans Noncompliant

Group health plans, their sponsors, fiduciaries, insurers and administrators must deal with an already complex, and ever expanding array of federal requirements governing the design and administration of group health plans imposed by the Code, the Employee Retirement Income Security Act, the Social Security Act and various other federal laws. Federal law increasingly is curtailing the significant latitude that employers and unions once enjoyed in deciding the benefits, eligibility and other terms and conditions of their group health plans. Noncompliance risks presently are particularly high now in light of the significant number of changes to these requirements that took effect or will take effect during 2009 and 2010.   As part of the range of damages, penalties or other liabilities that can arise when these requirements are violated, the Code imposes excise taxes upon employers or certain other parties involved with group health plans that fail to meet the Code’s COBRA, HIPAA GINA, MHPAEA, Michelle’s Law, HSA comparability, or certain other group health plan rules.  The excise tax amount triggered is generally $100 per individual for each day of noncompliance. However, for the HSA comparable employer contribution requirements, the excise tax generally equals 35% of all employer contributions made to all HSAs during the applicable calendar year.

Excise Tax Self-Assessment & Reporting Mandates Increase Potential Noncompliance Costs

Prior to 2010, the IRS generally did not require employers or other plans sponsors subject to these excise taxes to report group health plan noncompliance or assess these excise taxes as part of an IRS audit. However, final regulations published last September changed this policy. Effective January 1, 2010, the new regulations now require that group health plan sponsors to self report and pay applicable excise taxes if their group health plan fails to comply with any of the various federal group health plan mandates subject to the new regulations unless the employer or other responsible party demonstrates that it is excused from the reporting requirement under the Code or Regulations.

The timing of the required reporting may vary based on the nature of the group health plan and other factors.  For most violations involving a single employer group health plans, the sponsoring  employer generally must report the applicable excise tax on IRS Form 8928 (Return of Certain Excise Taxes Under Chapter 43 of the Internal Revenue Code), and pay the tax when reported. Penalties and interest may be assessed for failure to do so on or before the due date (without extension) of the employer’s federal income tax return. When a COBRA violation occurs, however, an insurer or third-party administrator may in some cases be responsible for the payment or reporting of the excise tax in some circumstances. When this is the case, the tax generally will be due by the due date (without extension) of the insurer’s or administrator’s federal income tax return. For multiemployer plans and multiple employer health plans, the return generally will be due by the last day of the seventh month after the end of the plan year. For noncompliance with the HSA comparable employer contribution requirements, the excise tax and Form 8928 must be filed on or before the 15th day of the fourth month following the calendar year in which the employer made the noncomparable contributions.

Recommended Steps To Manage Risks

Ongoing and continuously evolving changes in the requirements applicable to group health plans under the Code and other laws and regulations have significantly increased the likelihood that many group health plans and their processes, forms and procedures may not fully comply with applicable requirements.  This often is the case even where the plan sponsor has engaged highly respected insurers, consultants or administrators to assist with the design or administration of its programs.  In light of the potentially significant damage, excise tax and other penalty and other liability risks that violations can trigger, plan sponsors, insurers and administrators should among other things:

  • Review and update as necessary their existing plan documents and related practices for compliance with applicable federal mandates;
  • Monitor and react promptly to update plan terms and procedures as changes occur;
  • Implement and administer appropriate procedures to identify and redress compliance problems on a timely basis;
  • Review the adequacy of vendor compliance and tighten vendor agreements to strengthen the enforceability of quality expectations and to enhance the potential for recourse if these quality commitments are not met; and
  • Evaluate the advisability of securing liability insurance or other back up protection to help mitigate potential liability, investigation and/or defense costs that may arise if the need to investigate or defend a compliance challenge arises.

For Help In  Managing Your Risk

If your organization needs assistance with monitoring, assessing, managing or defending these or other health or other employee benefit, labor and employment, or compensation practices, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer or another Curran Tomko Tarski LLP attorney of your choice.  Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization and Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group and a nationally recognized author and speaker, Ms. Stamer is experienced with assisting employers and others about compliance with health and other employee benefit, labor and employment laws, safety, compensation, insurance, and other laws.  She also advises and defends employers and other plan sponsors, fiduciaries, employee benefit plans and others about litigation and other disputes relating to these matters, as well as charges, audits, claims and investigations by the IRS, Department of Labor and other federal and state regulators. She has counseled and represented employers on these and other workforce matters for more than 22 years. Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Examples of other recent updates that may be of interest include:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2009 Cynthia Marcotte Stamer. All rights reserved.


Inapplicability of HIPAA Privacy To Disability Insurer Not License To Impose Unreasonable Claims Requirements

February 8, 2010

By Cynthia Marcotte Stamer 

While finding the Privacy Standards imposed by the Health Insurance Portability & Accountability Act (HIPAA) inapplicable to disability insurers, a recent Louisiana Court of Appeals nevertheless ruled that the insurer was not entitled to dismissal of the lawsuit challenging the denial of disability benefits brought by a state employee for failure to meet proof of loss requirements based on his failure to sign insurer required medical authorization.  Disability insurers and plan fiduciaries should heed the decision as a reminder that exemption from HIPAA does not amount to a license to impose unreasonable proof of loss or requirements inconsistent with a reasonable reading of the terms of the applicable plan or policy, or other applicable regulations.

Harris v. Metropolitan Life Ins. Co., — So.3d —-, 2010 WL 415262, 2009-0034 (La.App. 1 Cir. 2/5/10), involved a lawsuit challenging the continuing  refusal of Metropolitan Life Insurance to and its designates to approve the disability benefit claim of Louisiana Supreme Court employee Jack Harris.  Metropolitan repeatedly asked insisted that Mr. Harris submit to a physical examination and sign various medical and other authorizations including an “Attending Physician’s Statement” and an “Employee Authorization,” and sign certain other documents.  While Mr. Harris sent the “Attending Physician’s Statement” to his treating physician, he declined to sign the Employee Authorization and certain other subsequently requested consents on the grounds of HIPAA.  While  he provided to a HIPAA-compliant authorizations to his medical providers to release  all medical records, medical opinions, and medical reports relating to Mr. Harris’ past and current treatment for purposes of the claim, he declined and instead filed suit contending that the information and releases already provided met the proof of loss requirements of the policy.

Upon motion of Metropolitan, the trial court found that Mr. Harris’ failure to sign the authorizations and submit to the medical examination required by Metropolitan rendered his claim “premature.”  Upon appeal, however, the Court of Appeals overruled this determination.  While the Court of Appeals agreed with the trial court that the special authorization rules imposed by HIPAA did not apply to a disability insurer such as Metropolitan, it also ruled that its right to require a claimant to sign authorizations, submit to medical examinations or meet other proof of loss conditions must be reasonable in light of the terms of the policy.  Accordingly, although the Court of Appeals agreed that the proof of loss and other provisions of the disability policy authorized Metropolitan to require a disability claimant to undergo an independent medical examination “as often as reasonably required,” the Court of Appeals ruled that Mr. Harris’ submission to the independent medical examination was not a condition precedent to the initiation of litigation by an insured and that the “medical authorization” demanded by Metropolitan was far broader than what the policy allowed as reasonably required for the independent medical examination.  Accordingly, the Court of Appeals overruled the trial court’s dismissal of the disability claim and remanded the action to the trial court for hearing.

While affirming that the HIPAA Privacy Standards don’t directly apply to disability insurers, the Harris decision also demonstrates that disability insurers should not over-estimate the effect of this exemption. While HIPAA may not apply, disability insurers generally remain bound by the reasonable construction of their policy terms, taking into account otherwise applicable laws and regulations.  Accordingly, disability and other HIPAA-exempt insurers and plans should not confuse the inapplicability of the HIPAA authorization requirements for carte blanche to impose unreasonable authorization or other proof of loss requirements inconsistent with their policy terms.

If you have questions about or need assistance evaluating, commenting on or responding to this invitation or other employee benefit, employment, compensation, employee benefit, workplace health and safety, corporate ethics and compliance practices, concerns or claims, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer.  Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group, and a Council Member on the ABA Joint Committee on Employee Benefits, Ms. Stamer has more than 22 years experience advising and assisting employers, employee benefit plan and their fiduciaries, insurers, administrators, and others about policy and plan, process, and product design, administration, documentation, risk management and defense under ERISA, COBRA, HIPAA, labor and employment, tax, state banking and insurance, and other laws.  Her work includes extensive experience advising and defending employee benefit plan fiduciaries and insurers about the investigation of disability, health and other claims and appeals.  She also advises, assists, trains, audits and defends employers and others regarding the federal and state Sentencing Guideline and other compliance, equal employment opportunity, privacy,  leave, compensation, workplace safety, wage and hour, workforce reengineering, and other labor and employment and defends related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor and other federal and state regulators. Ms. Stamer also speaks, writes and conducts training extensively on these and other related matters. For additional information about Ms. Stamer and her experience, see here or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Some other recent updates that may be of interested include the following, which you can access by clicking on the article title:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2010 Cynthia Marcotte Stamer. All rights reserved. 


Follow

Get every new post delivered to your Inbox.

Join 526 other followers