11/5 Deadline For Many Health Plans To Get Health Plan ID From CMS

October 21, 2014

With the November 5, 2014 deadline for “controlling health plans” CHPs (except small health plans) to obtain the Health Plan Identifier (HPID) required by the Department of Health and Human Services (HHS) Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier Final Rule (Final Rule) the Centers for Medicare & Medicaid Services (CMS) is working to streamline the process CHPs use to get the HPID.

Part of CMS’ continuing implementation of electronic transaction requirements enacted as part of the Administrative Simplification reforms of the Health Insurance Portability & Accountability Act (HIPAA) to reduce the cost of processing health payment transactions, the HPID requirement may apply to self-insured group health plans sponsored by employers.  A self-insured health plan must answer two questions to determine whether it must obtain a HPID.

  • Does it meet the definition of health plan under 45 CFR 160.103? A health plan is an individual or group plan that provides or pays the cost of medical care (as defined in 45 CFR 160.103).
  • If it meets the definition of a health plan, is it a controlling health plan (CHP)? A CHP is a health plan that controls its own business activities, actions, or policies, or is controlled by an entity that is not a health plan.
  • A health plan is also a CHP if it has one or more sub health plans that it controls by directing the SHP’s business activities, actions, or policies.

The deadline for compliance with the HPID requirement generally depends upon the annual receipts of the CHP. The November 5, 2014 deadline generally applies to CHPs other than small health plans, which get an extra year to obtain their HPID. Small health plans generally are those with annual receipts of $5 million or less).  Small health must obtain a HPID by November 5, 2015.

For insured group and individual health plans, the insurance carrier is the entity responsible for obtaining the HPID.  In these fully insured arrangements, the Final Rule provides that insured individual employer plans are sub health plans (SHPs) to the fully insured CHPs which are permitted but not required to get their own HPID.

In contrast, when a self-insured health plan is a CHP, responsibility for obtaining the required HPID rests with the health plan.   However, CMS guidance allows the self-insured CHP to have  its third party administrator or another party help it negotiate the process of getting the required HPID.

To obtain a HPID, a CHP must:

  • Create an account in the CMS Enterprise Portal to obtain a user ID and password.
  • Select the link to register in the Health Insurance Oversight System (HIOS).
  • After registering in HIOS, select the link for the Health Plan and Other Entity Enumeration System (HPOES), and follow the prompts.

CMS has posted a User Manual and a Systems Quick Guide to help CMPs obtain their HPID and otherwise use the Health Plan and Other Entity Enumeration System (HPOES).

Growing pains in the evolution of the HPID guidance and HPOES system have prompted CMS to make several refinements to the guidance and the system.   Recently, CMS updated the HPOES  to allow multiple controlling health plans to register for a HPID using a single employer identification number (EIN).  Also, on October 14, 2014, CMS announced the release of a software enhancement to HPOES which streamline the HPID application process so that the system automatically approves the application and generates an HPID upon submission  CMS has updated two resources to help health plans register for an HPID:

  • A revised Quick Guide to obtaining an HPID for controlling health plans
  • An updated User Manual, which provides details about the registration process.

Employers and others sponsoring or administering these arrangements should confirm that the HPID is timely required for its health plan if and when required.  If planning to rely upon a third party administrator or other service provider, the employer or other sponsor should consider including the agreement between the parties concerning the allocation of these responsibilities in its administrative or other services agreement with that vendor.

The HPID requirement is just one of many evolving requirements for health plans.  As the U.S. Department of Labor and other agencies are stepping up health plan audits and enforcement, employer and other health plan sponsors and fiduciaries generally will want not only to review their health plan documentation, processes and procedures for compliance, but also to retain documentation of these efforts.  To the extent that the sponsor or a fiduciary relies upon a third party administrator, broker, consultant or other third party to design or administer the program, it should confirm that any the parties have in place required business associate or other confidentiality agreements as well as document other compliance and performance expectations in a carefully crafted written agreement.

About Author Cynthia Marcotte Stamer

If you need help reviewing or updating your health benefit program for compliance or with any other employment, employee benefit, compensation or internal controls matter, please contact the author of this article, attorney Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefits Council, immediate past-Chair and current Welfare Benefit Committee Co-Chair of the American Bar Association (ABA) RPPT Employee Benefits & Other Compensation Arrangements, an ABA Joint Committee on Employee Benefits Council Representative, the ABA TIPS Employee Benefit Plan Committee Vice Chair, former ABA Health Law Section Managed Care & Insurance Interest Group Chair, past Southwest Benefits Association Board Member, Employee Benefit News Editorial Advisory Board Member, and a widely published speaker and author,  Ms. Stamer has more than 24 years experience advising businesses, plans, fiduciaries, insurers. plan administrators and other services providers,  and governments on health care, retirement, employment, insurance, and tax program design, administration, defense and policy.   Nationally and internationally known for her creative and highly pragmatic knowledge and work on health benefit and insurance programs, Ms. Stamer’s  experience includes extensive involvement in advising and representing these and other clients on ACA and other health care legislation, regulation, enforcement and administration.

Widely published on health benefit and other related matters, Ms. Stamer’s insights and articles have been published by the HealthLeaders, Modern Health Care, Managed Care Executive, the Bureau of National Affairs, Aspen Publishers, Business Insurance, Employee Benefit News, the Wall Street Journal, the American Bar Association, Aspen Publishers, World At Work, Spencer Publications, SHRM, the International Foundation, Solutions Law Press and many others.

For additional information about Ms. Stamer and her experience, see www.CynthiaStamer.com.

About Project COPE: The Coalition On Patient Empowerment & Its  Coalition on Responsible Health Policy

Sharing and promoting the use of practical practices, tools, information and ideas that patients and their families, health care providers, employers, health plans, communities and policymakers can share and offer to help patients, their families and others in their care communities to understand and work together to better help the patients, their family and their professional and private care community plan for and manage these  needs is the purpose of Project COPE.

The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans.  The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch.  Americans can best improve health care by not waiting for someone else to step up:  Speak up, step up and help bridge the gap when you or your organization can do so by extending yourself a little bit.  Speak up to help communicate and facilitate when you can.  Building health care neighborhoods filled with good neighbors throughout the community is the key.

The outcome of this latest health care reform push is only a small part of a continuing process.  Whether or not the Affordable Care Act makes financing care better or worse, the same challenges exist.  The real meaning of the enacted reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye.  Americans individually and collectively clearly should monitor and continue to provide input through this critical time to help shape constructive rather than obstructive policy. Regardless of how the policy ultimately evolves, however, Americans, American businesses, and American communities still will need to roll up their sleeves and work to deal with the realities of dealing with ill, aging and disabled people and their families.  While the reimbursement and coverage map will change and new government mandates will confine providers, payers and patients, the practical needs and challenges of patients and families will be the same and confusion about the new configuration will create new challenges as patients, providers and payers work through the changes.

For Added Information and Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For Help Or More Information

If you need assistance in auditing or assessing, updating or defending your organization’s compliance, risk manage or other  internal controls practices or actions, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469)767-8872.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 24 years of work helping employers and other management; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit  and management policies and practices. Her experience includes extensive work helping employers implement, audit, manage and defend union-management relations, wage and hour, discrimination and other labor and employment laws, privacy and data security, internal investigation and discipline and other workforce and internal controls policies, procedures and actions.  The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on management, reengineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters.  She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters.Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see hereor contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources at www.solutionslawpress.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.

©2014 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press.  All other rights reserved.


New EEOC Lawsuit Challenges Orion Energy Systems Employee Benefit Program Under ADA

September 19, 2014

Employers using or considering using health risk assessments or other wellness programs should carefully monitor a new Equal Employment Opportunity Commission (EEOC) lawsuit, EEOC v. Orion Energy Systems, Civil Action 1:14-cv-01019 (E.D.Wis.), which is the first time the EEOC has sued an employer under the Americans With Disabilities Act (ADA) based on the employer’s wellness program.

Although the alleged facts in Orion reflect its practices might be much more aggressive than in common use by most employers, the principles argued by the EEOC in  Orion raise potential concerns for the growing number of employers relying on health risk assessment and other wellness programs to help manage health benefit costs, employee disabilities, and other concerns.

According the Kaiser Family Foundation, health risk assessments and other wellness program use is increasingly common.  The majority of employers reportedly now offer some sort of wellness program — 94 percent of employers with over 200 workers, and 63 percent of smaller ones.

Employers that use these arrangements generally believe their health risk assessment or other wellness benefit passes legal muster as long as it complies with standards established in final regulations amending the nondiscrimination requirements of the Health Insurance Portability Act (HIPAA). The sponsors of these arrangements often are unaware of or discount the likelihood that the EEOC might view these and other wellness benefit arrangements as violating the ADA prohibitions against medical inquiries that are not both job related and necessary to the job or other ADA disability discrimination prohibitions.

In Orion, the EEOC contends that Orion instituted a wellness program that required medical examinations and made disability-related inquiries.  When employee Wendy Schobert declined to participate in the program, Orion shifted responsibility for payment of the entire premium for her employee health benefits from Orion to Schobert. Shortly thereafter, Orion fired Schobert.

The EEOC charges Orion violated federal law by requiring an employee to submit to medical exams and inquiries that were not job-related and consistent with business necessity as part of a so-called “wellness program,” which the EEOC charges was not voluntary, and then by firing the employee when she objected to the program.

The EEOC maintains that Orion’s wellness program violated the ADA as applied to Schobert.  Additionally, EEOC also charges Orion wrongfully retaliated against Schobert because of her good-faith objections to the wellness program. The EEOC further asserts that Orion interfered with Schobert’s exercise of her federally protected right to not be subjected to unlawful medical exams and disability-related inquiries.

“Employers certainly may have voluntary wellness programs — there’s no dispute about that — and many see such programs as a positive development,” said John Hendrickson, regional attorney for the EEOC Chicago district. “But they have to actually be voluntary. They can’t compel participation by imposing enormous penalties such as shifting 100 percent of the premium cost for health benefits onto the back of the employee or by just firing the employee who chooses not to participate. Having to choose between responding to medical exams and inquiries — which are not job-related — in a wellness program, on the one hand, or being fired, on the other hand, is no choice at all.”

The Orion litigation reminds businesses of the advisability or properly designing and managing wellness programs to comply with applicable legal requirements.

Financial or other incentive and reward programs of course must be designed to comply with HIPAA’s nondiscrimination rules, the ADA and privacy rules.   Privacy requirements also can be a challenge under these laws unless information collected from screening and other wellness and disease management activities is carefully collected, routed and handled to comply with HIPAA, GINA and other privacy rules.  See, e.g,   EBSA Issues Guidance on Health PLan Wellness & Disease Management Programs Subject to HIPAA Nondiscrimination RulesADAAA Amendment Broader “Disability Definition Not Retroactive, Employer Action Needed To Manage Post 1/1/2009 RisksBusinesses Face Rising Disability Discrimination Enforcement Risks; EEOC Finalizes Updates To Disability Regulations In Response to ADA Amendments Act.

Employers and health plans also should review the existing preventive care coverage provided in their health plans to ensure compliance with expanded federal mandates enacted as part of the sweeping new federal health care reform law. See e.g., Affordable Care To Require Health Plans Cover Contraception & Other Women’s Health Procedures.

If you need assistance addressing the legal requirements of your wellness program or other workforce, employee benefit, compensation or risk management concern, contact the author of this update.  We also encourage you and others to help develop real meaningful improvements by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. TheCoalition For Responsible Health Care Policy provides a resource that concerned Americans can use to share, monitor and discuss the Health Care Reform law and other health care, insurance and related laws, regulations, policies and practices and options for promoting access to quality, affordable healthcare through the design, administration and enforcement of these regulations.You also can access information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here.

About Author Cynthia Marcotte Stamer

If you need help reviewing or updating your health benefit program for compliance with ACA or other laws or with any other employment, employee benefit, compensation or internal controls matter, please contact the author of this article, attorney Cynthia Marcotte Stamer.

A 2011 inductee to the American College of Employee Benefits Council, immediate past-Chair and current Welfare Benefit Committee Co-Chair of the American Bar Association (ABA) RPPT Employee Benefits & Other Compensation Arrangements, an ABA Joint Committee on Employee Benefits Council Representative, the ABA TIPS Employee Benefit Plan Committee Vice Chair, former ABA Health Law Section Managed Care & Insurance Interest Group Chair, past Southwest Benefits Association Board Member, Employee Benefit News Editorial Advisory Board Member, and a widely published speaker and author,  Ms. Stamer has more than 24 years experience advising businesses, plans, fiduciaries, insurers. plan administrators and other services providers,  and governments on health care, retirement, employment, insurance, and tax program design, administration, defense and policy.   Nationally and internationally known for her creative and highly pragmatic knowledge and work on health benefit and insurance programs, Ms. Stamer’s  experience includes extensive involvement in advising and representing these and other clients on ACA and other health care legislation, regulation, enforcement and administration.

Widely published on health benefit and other related matters, Ms. Stamer’s insights and articles have been published by the HealthLeaders, Modern Health Care, Managed Care Executive, the Bureau of National Affairs, Aspen Publishers, Business Insurance, Employee Benefit News, the Wall Street Journal, the American Bar Association, Aspen Publishers, World At Work, Spencer Publications, SHRM, the International Foundation, Solutions Law Press and many others.

For additional information about Ms. Stamer and her experience, see www.CynthiaStamer.com.

About Project COPE: The Coalition On Patient Empowerment & Its  Coalition on Responsible Health Policy

Sharing and promoting the use of practical practices, tools, information and ideas that patients and their families, health care providers, employers, health plans, communities and policymakers can share and offer to help patients, their families and others in their care communities to understand and work together to better help the patients, their family and their professional and private care community plan for and manage these  needs is the purpose of Project COPE.

The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans.  The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch.  Americans can best improve health care by not waiting for someone else to step up:  Speak up, step up and help bridge the gap when you or your organization can do so by extending yourself a little bit.  Speak up to help communicate and facilitate when you can.  Building health care neighborhoods filled with good neighbors throughout the community is the key.

The outcome of this latest health care reform push is only a small part of a continuing process.  Whether or not the Affordable Care Act makes financing care better or worse, the same challenges exist.  The real meaning of the enacted reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye.  Americans individually and collectively clearly should monitor and continue to provide input through this critical time to help shape constructive rather than obstructive policy. Regardless of how the policy ultimately evolves, however, Americans, American businesses, and American communities still will need to roll up their sleeves and work to deal with the realities of dealing with ill, aging and disabled people and their families.  While the reimbursement and coverage map will change and new government mandates will confine providers, payers and patients, the practical needs and challenges of patients and families will be the same and confusion about the new configuration will create new challenges as patients, providers and payers work through the changes.

For Added Information and Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For Help Or More Information

If you need assistance in auditing or assessing, updating or defending your organization’s compliance, risk manage or other  internal controls practices or actions, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469)767-8872.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 24 years of work helping employers and other management; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit  and management policies and practices. Her experience includes extensive work helping employers implement, audit, manage and defend union-management relations, wage and hour, discrimination and other labor and employment laws, privacy and data security, internal investigation and discipline and other workforce and internal controls policies, procedures and actions.  The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on management, reengineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters.  She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters.Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see hereor contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources at www.solutionslawpress.com.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.

©2011 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press.  All other rights reserved.


Review & Update HR & Benefit Practices For DOL Proposed Change In FMLA Regs, Other Rules Treating Some Same-Sex Couples As Spouses

July 8, 2014

August 11, 2014 is the deadline for employers and other interested individuals to comment on the  U.S. Department of Labor’s Wage and Hour Division (DOL) June 27, 2014 Notice of Proposed Rulemaking (NPRM), which would amend the definition of spouse under the current Family and Medical Leave Act of 1993 (FMLA) regulations in light of the United States Supreme Court’s decision in United States v. Windsor, which ruled unconstitutional section 3 of the Defense of Marriage Act (DOMA).  The proposed change is one of a series of regulatory changes that the Obama Administration has proposed or adopted since the Windsor decision.

DOL intends that the NPRM will replace the current definition of “spouse” its current FMLA regulations so that eligible employees in legal same-sex marriages will be able to take FMLA leave to care for their spouse or family member, regardless of where they live.

To accomplish this, the NPRM proposes to revise the current definition of spouse in the current FMLA regulations to define spouse as follows: Spouse, as defined in the statute, means a husband or wife. For purposes of this definition, husband or wife refers to the other person with whom an individual entered into marriage as defined or recognized under State law for purposes of marriage in the State in which the marriage was entered into or, in the case of a marriage entered into outside of any State, if the marriage is valid in the place where entered into and could have been entered into in at least one State. This definition includes an individual in a same-sex or common law marriage that either (1) was entered into in a State that recognizes such marriages or, (2) if entered into outside of any State, is valid in the place where entered into and could have been entered into in at least one State.

Among other things, this change will:

  • Replace the current “state of residence” rule with a rule that determines spousal status based on where the marriage was entered into (sometimes referred to as “place of celebration”) rule for determining marital status;
  • Revise the definition of spouse expressly to reference same-sex marriages in addition to common law marriages, and to encompass same-sex marriages entered into abroad that could have been entered into in at least one State.

The expanded definition of spouse will broaden the range of couples that employers and plans may be required to treat as spouses for purposes of the FMLA.  This expansion also may result in the extension of rights with respect to parents or children of a same-sex partner for certain employment or employee benefit purposes.  While the historical determination of parental relationships under the FMLA regulations based on a functional, rather than legalistic, test means that the proposed change will likely have less significance in this regard, employers and plans still should evaluate the potential implications of the expanded definition of spouse on its responsibilities with respect to the employees, their same-sex partners and the parents and children of the same-sex partners.

Also, many employers and employee benefit plans may be concerned about proposed language in the NPRM and other regulations requiring employers to decide if a marriage not valid in the United States could have been valid if performed within the United States.  Likewise, as the number of states where same-sex partners can qualify as spouses continues to evolve as courts and legislatures act to require recognition of these relationships, many employers and plans may feel legitimate concerns about the operational demands of administering their human resources and employee benefit plans and policies with respect to individuals involved in same-sex relationships where the legal status of the relationship may evolve due to changes of law, creating responsibilities for the employer or plan with respect to relationships that it may not know exist or the status of which may change subsequent to a determination of marital status or other relevant decision.  Employers and employee benefit plans should consider adopting practices to address these challenges to minimize the risk of incurring liability as a result of an oversight resulting from evolving status.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising employers, health plan and other employee benefit, insurance, financial services, health and other business clients about these and other matters.   As a part of this involvement, Ms. Stamer has extensive experience advising employers, employee benefit plans, insurers, health care providers and others about the implications of DOMA and other rules impacting the identification of spouses and other family status protections under the FMLA and other Federal and state employment, tax, health care and other laws.  She publishes and speaks extensively on these and other staffing and human resources, compensation and benefits, technology, health care, privacy, public policy, and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints

July 7, 2014

Employer and other health plan sponsors, administrators, insurers and their business associates should heed both the lesson about properly protecting health plan documents with protected health information and the more subtle lesson about the role of employees and other whistleblowers in bringing these violations to the attention of regulators contained in the latest Health Insurance Portability & Accountability Act (HIPAA) resolution agreement as well as act to manage their potential employment related liability to workforce members reporting these violations

HIPAA’s Privacy, Security and Breach Notification Rules generally prohibit  health plans, health care providers, health plans (Covered Entities) and their business associates from creating, using, accessing or disclosing protected health information except as allowed by HIPAA.  In addition, HIPAA requires covered entities both to meet detailed criteria for protecting electronic protected health information and also to take reasonable steps to protect all protected health information, as well as meet other business associate, breach notification, and individual rights requirements.

Parkview Resolution Agreement

Late last month, the Department of Health & Human Services Office of Civil Rights (HHS) announced that complaints of a retiring physician over the mishandling of her patient records by Parkview Health System, Inc. (Parkview) prompted the investigation that lead Parkview to agree to pay $800,000 to settle charges that it violated HIPAA’s Privacy Rule.

The resolution agreement settles charges lodged by HHS based on an OCR investigation into the retiring physician’s allegations that Parkview violated the HIPAA Privacy Rule by failing to properly safeguard the records when it returned them to the physician following her retirement.

As a covered entity under the HIPAA Privacy Rule, HIPAA requires that Parkview appropriately and reasonably safeguard all protected health information in its possession, from  acquisition to disposition.

In an investigation prompted by the physician’s complaint, OCR found that Parkview breached this responsibility in its handling of certain physician patient records in helping the physician to transition to retirement.

According to OCR, in September 2008, Parkview took custody of medical records of approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.

Subsequently on June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. OCR concluded this conduct violated the Privacy Rule.

To settle OCR’s charges that these actions violated HIPAA, OCR has agreed to pay the $800,000 resolution amount and to adopt and implement a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR.

HIPAA Violations Carry Significant Liability

As demonstrated by the Parkview resolution agreement, violation of HIPAA  can carry significant civil and potentially even criminal liability.  The criminal provisions of HIPAA as well as the express terms of the Privacy Rules require that covered entities and their business associates adopt and administer specific compliance programs and practices to provide to compliance with HIPAA and HIPAA’s breach notification rules and the Privacy Regulations may require self-reporting of violations when and if violations occur.  Since HIPAA includes potential criminal liability, violations of its provisions can trigger organizational liability for covered entities and their business associates.  Consequently, HIPAA compliance also generally should be part of the Federal Sentencing Guideline Compliance Program of every covered entity and business associate.

The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates.  In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.  Furthermore, enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

A series of supplemental guidance issued by the Department of Health & Human Services Office of Civil Rights (OCR) in recent weeks is giving health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates even more to do in reviewing and updating their policies, practices and training for handing protected health information (PHI) beyond bringing their policies and practices into line with OCR’s restatement and update to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act since the Omnibus Final Rule took effect on March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Meanwhile, the Omnibus Final Rule generally has required business associates have updated business associate agreements in place and otherwise to have come into compliance with all of the applicable requirements of the Omnibus Final Rule since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

Watch & Manage Whistleblower Liability From HIPAA Violations & Compliance

Beyond illustrating the potential HIPAA-associated penalties that can result from failing to comply with HIPAA, the Parkview resolution agreement also illustrates the risks that current or former workforce members and others acting as whistleblowers play in helping OCR to identify HIPAA violations.  HIPAA and most other laws prohibited covered entities from forbidding or retaliating against a person for objecting to or reporting the concern and offer whistleblowers potential participation in the reporting and prosecution of violations.  Beyond these specific federal HIPAA protections, state courts often recognize firing or otherwise retaliating against workforce members or others for exercising rights protected by HIPAA or other federal anti-retaliation statutes as a basis for a state whistleblower or other retaliatory discharge claim.  See, e.g. Faulkner v. Department of State Health Servs., 2009 U.S. Dist. LEXIS 22419 (N.D. Tex. Mar. 19, 2009).  See also Court Recognizes Retaliation For Filing HIPAA Privacy Complaint As Basis For Texas Whistleblower Claim.    With retaliation and other whistleblower complaints becoming increasingly common and judgments from these claims rising, covered entities and their business associates need to include appropriate employment liability risk management processes and procedures in their HIPAA compliance processes and coordinate carefully with their human resources team and qualified employment counsel to manage the employment liability related risks associated with investigations and discipline activities under HIPAA.  Concurrently, Privacy Officers also should ensure that their organization’s human resources team understands the HIPAA rules and spot and properly refers to the privacy officer for investigation statements or other activities that may indicate that a HIPAA compliance or retaliation concern needs investigation or redress to avoid missing potential exposures hidden in the human resources processes that could reflect a practice of tolerance or retaliation unacceptable to OCR.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


Consider Fiduciary & Other Risk Management When Planning For ACA Transitional Reinsurance Costs, Other Plan Design Changes

July 7, 2014

Employer and other plan sponsors should start working now with their insurers, administrators and advisors to understand the implications of and their options for addressing the “Transitional Reinsurance Program” and other new Patient Protection & Affordable Care Act (ACA)-associated cost and plan design changes  so that they are prepared to finalize and implement their health plan design, contracts and arrangements in time to meet the accelerated deadlines for notifying participants of plan changes and otherwise implement their plan changes for the upcoming plan year.

The impending imposition of  Transitional Reinsurance Program assessments are only one of a myriad of new and pre-existing federal health plan rules and associated market changes impacting the design of employer and union-sponsored health plans.  Since ACA now also requires 60 days advance written notice of material health plan changes, .  When making these decisions, employer and other health plan sponsors and their advisors, administrators and insurers  should not only focus on the technically new mandates but also the allocation of fiduciary and other responsibilities, liabilities and other plan and services agreements terms.  Plan sponsors and their fiduciaries historically have underappreciated the significance of these allocations or presumed that their vendor contracts allocate responsibility to the service providers and vendors to match the sales pitch.  Always rarely the case, the changes in the marketplace and the law make it even more likely that sponsoring employers and their leaders of even plans that carefully reviewed and negotiated these responsibilities in their past contracts need to carefully look at these plan and contractual terms carefully.

The Transitional Reinsurance Program is one of a series of new ACA-imposed assessments that can impact the plan design and costs.    Proper understanding of these rules is critical for plan sponsors and their fiduciaries to ensure that they don’t unintentionally assume significantly greater liability for their self-insured health plans in an attempt to design around a relatively small by comparison ACA assessment.

Section 1341 of the Patient Protection & Affordable Care Act (ACA) requires the establishment of the reinsurance program to provide for stabilization of funding for exchanges.  Funding for the costs of the program is accomplished through amounts assessed upon insurers and self-insured plan third party administrators.  ACA § 1341 accomplishes this by providing for:

  • The establishment for each State of a transitional reinsurance program stabilize premiums for coverage in the individual market from 2014 through 2016;
  • Requiring all health insurance issuers and third party administrators on behalf of self-insured group health plans, to pay contributions to support reinsurance payments that cover high-cost individuals in non-grandfathered plans in the individual market.

Registration is now open for a series of webinars that the Department of Health & Human Services will host on “The Transitional Reinsurance Program: Contributing Entities and Counting Methods” on July 14, July 18 and July 23, 2014 from 2:00 p.m. – 3:30 p.m. EST.  The upcoming HHS webinars will cover the same information.  They will focus on reinsurance contributions including who is a contributing entity and how a contributing entity can calculate its annual enrollment count to determine reinsurance contribution amounts. The intended audience for this webinar is health insurance issuers, self-insured group health plans, third party administrators (TPAs) and administrative services-only (ASO) contractors.  To register for the HHS webinar and to obtain additional information see here.

Understanding how the Transitional Reinsurance Program assessments will be calculated is one of many critical steps in making plan design changes.  When considering whether to take advantage of options for minimizing these assessments, however, employer, union and other plan sponsors need to consider whether the liability and other consequences of meeting requirements for avoidance of the assessments is warranted by the anticipated savings.  With superficially it might seem desirable to avoid the payment of a few dollars per covered lives associated with the assessment, employers and other sponsoring organizations and the officers or other leadership employees involved in plan design or administration should critically review the effect of meeting these requirements specifically, as well as their proposed vendor contracts and associated plan documents and communications on their personal and organizations’ fiduciary and other liabilities.  To the extent that existing or expanded fiduciary liability cannot be avoided, it will be critical that the sponsor and its leadership ensure that proper steps are taken to select, credential, bond, and appoint the persons who will be or help carry out fiduciary or other plan-related responsibilities.  Additionally, most plan sponsors will want to consider exploring the availability of fiduciary liability insurance coverage to help mitigate the potential liability risks associated with plan sponsorship.

For Advice, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The author of the “Managed Care Contracting Guide” and a multitude of other highly-regarded publications on health plan and other fiduciary liability risk management, Ms. Stamer has advised plan sponsors, administrators, insurers and others about these and other health plan liabilities and their risk management throughout her more than 25 year career. You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to ask about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here.

©2014 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press, Inc.   All rights reserved.


HHS Claims Average $69/Month Cost for Subsidized Coverage Shows ACA Success Challenged

June 18, 2014

The Department of Health & Human Services (HHS) is touting a new report available here released today that it says people who qualified for tax credits to buy health insurance coverage through the health insurance exchange who selected silver plans, the most popular plan type in the federal Marketplace, paid an average premium of $69 per month. In the federal Marketplace, 69 percent of enrollees who selected Marketplace plans with tax credits had premiums of $100 a month or less, and 46 percent of $50 a month or less after tax credits.   The balance of the cost of the coverage is covered via subsidies.  Other sources, however, say the data in the report raises concerns about the overall cost of the health care reform law and its impact on the total cost of coverage.

HHS says the report also looks at competition and choice nationwide among health insurance plans in 2013-2014.  HHS claims that the report shows most individuals shopping in the Marketplace had a wide range of health plans from which to choose. On average, consumers could choose from five health insurers and 47 Marketplace plans. An increase of one issuer in a rating area is associated with 4 percent decline in the second-lowest cost silver plan premium, on average.

While the HHS report by focusing on what subsidized individuals pay out of pocket spins the data to give the impression that the health care reform law is bringing down health care costs as promised, other sources say the data in the Report raises serious concerns about the overall cost of the health care reform law and the total cost of coverage.  While acknowledging that “the generous subsidies” helped consumers receiving subsidies, the Los Angeles Times reports these subsidies coupled with the massive enrollment by individuals qualifying for subsidies raise budgetary concerns.  According to the Los Angeles Times article, the reports shows the federal government is on track to spend at least $11 billion on subsidies for consumers who bought health plans on marketplaces run by the federal government, even accounting for the fact that many consumers signed up for coverage in late March and will only receive subsidies for part of the year.  However, this total does not count the additional cost of providing coverage to the 1/3 of the 8 million new people who signed up for coverage who bought coverage in states that ran their own marketplaces, including California, Connecticut, Maryland and New York.   While Federal officials said subsidy data for these consumers were not available, the Los Angeles Times estimated that if these state consumers received roughly comparable government assistance for their insurance premiums, the total cost of subsidies could top $16.5 billion this year, resulting in budgetary costs “far higher”  than the $10 million budgetary cost that the Congressional Budget Office projected subsidies would cost U.S. taxpayers in 2014. See  Obamacare subsidies push cost of health law above projections.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


HIPAA Compliance & Breach Data Shares Helpful Lessons For Health Plans, Providers and Business Associates

June 11, 2014

Health care providers, health plans and insurers, health care clearinghouses (collectively “Covered Entities”), their business associates, and others concerned about medical privacy regulations or protections should check out two new reports to Congress about breach notifications reported and other compliance data under the Health Insurance Portability & Accountability Act (HIPAA) by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).   Reviewing this data can help Covered Entities and their business associates identify potential areas of exposures and enforcement that can be helpful to minimize their HIPAA liability as well as to expect OCR enforcement and audit inquiries.  Smart covered entities and business associates will include review of these and other reports about compliance and enforcement by OCR and assessment of their processes against this information as a part of their HIPAA compliance and risk management practices.

Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the two new reports discuss various details about HIPAA compliance for calendar years 2011 and 2012.  They include the following:

  • Report to Congress on Breach Notifications, discussing the breach notification requirements and reports OCR received as a result of these breach notification requirements; and
  • Report to Congress on Compliance with the HIPAA Privacy and Security Rules, summarizing complaints received by OCR of alleged violations of the provisions of Subtitle D of the HITECH Act, as well as of the HIPAA Privacy and Security Rules at 45 CFR Parts 160 and 164 .
  • Covered entities and their business associates should review the finding reported as part of their compliance practices. Others concerned about medical or other privacy or data security regulations or events also may find the information in the reports of interest.

Under HIPAA, covered entities generally are prohibited from using, accessing or disclosing protected health information about individuals except as specifically allowed by HIPAA,  In addition, HIPAA also requires Covered Entities to establish safeguards to protect protected health information against improper access, use or destruction, to afford certain rights to individuals who are the subjects of protected information, to obtain certain written assurances from service providers who are business associates before allowing those service providers to use, access or disclose protected health information when carrying out covered functions for the Covered Entity, and meet other requirements.

The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates.  In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.

Enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the HITECH Act since March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


Follow

Get every new post delivered to your Inbox.

Join 538 other followers