Review & Update HR & Benefit Practices For DOL Proposed Change In FMLA Regs, Other Rules Treating Some Same-Sex Couples As Spouses

July 8, 2014

August 11, 2014 is the deadline for employers and other interested individuals to comment on the  U.S. Department of Labor’s Wage and Hour Division (DOL) June 27, 2014 Notice of Proposed Rulemaking (NPRM), which would amend the definition of spouse under the current Family and Medical Leave Act of 1993 (FMLA) regulations in light of the United States Supreme Court’s decision in United States v. Windsor, which ruled unconstitutional section 3 of the Defense of Marriage Act (DOMA).  The proposed change is one of a series of regulatory changes that the Obama Administration has proposed or adopted since the Windsor decision.

DOL intends that the NPRM will replace the current definition of “spouse” its current FMLA regulations so that eligible employees in legal same-sex marriages will be able to take FMLA leave to care for their spouse or family member, regardless of where they live.

To accomplish this, the NPRM proposes to revise the current definition of spouse in the current FMLA regulations to define spouse as follows: Spouse, as defined in the statute, means a husband or wife. For purposes of this definition, husband or wife refers to the other person with whom an individual entered into marriage as defined or recognized under State law for purposes of marriage in the State in which the marriage was entered into or, in the case of a marriage entered into outside of any State, if the marriage is valid in the place where entered into and could have been entered into in at least one State. This definition includes an individual in a same-sex or common law marriage that either (1) was entered into in a State that recognizes such marriages or, (2) if entered into outside of any State, is valid in the place where entered into and could have been entered into in at least one State.

Among other things, this change will:

  • Replace the current “state of residence” rule with a rule that determines spousal status based on where the marriage was entered into (sometimes referred to as “place of celebration”) rule for determining marital status;
  • Revise the definition of spouse expressly to reference same-sex marriages in addition to common law marriages, and to encompass same-sex marriages entered into abroad that could have been entered into in at least one State.

The expanded definition of spouse will broaden the range of couples that employers and plans may be required to treat as spouses for purposes of the FMLA.  This expansion also may result in the extension of rights with respect to parents or children of a same-sex partner for certain employment or employee benefit purposes.  While the historical determination of parental relationships under the FMLA regulations based on a functional, rather than legalistic, test means that the proposed change will likely have less significance in this regard, employers and plans still should evaluate the potential implications of the expanded definition of spouse on its responsibilities with respect to the employees, their same-sex partners and the parents and children of the same-sex partners.

Also, many employers and employee benefit plans may be concerned about proposed language in the NPRM and other regulations requiring employers to decide if a marriage not valid in the United States could have been valid if performed within the United States.  Likewise, as the number of states where same-sex partners can qualify as spouses continues to evolve as courts and legislatures act to require recognition of these relationships, many employers and plans may feel legitimate concerns about the operational demands of administering their human resources and employee benefit plans and policies with respect to individuals involved in same-sex relationships where the legal status of the relationship may evolve due to changes of law, creating responsibilities for the employer or plan with respect to relationships that it may not know exist or the status of which may change subsequent to a determination of marital status or other relevant decision.  Employers and employee benefit plans should consider adopting practices to address these challenges to minimize the risk of incurring liability as a result of an oversight resulting from evolving status.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising employers, health plan and other employee benefit, insurance, financial services, health and other business clients about these and other matters.   As a part of this involvement, Ms. Stamer has extensive experience advising employers, employee benefit plans, insurers, health care providers and others about the implications of DOMA and other rules impacting the identification of spouses and other family status protections under the FMLA and other Federal and state employment, tax, health care and other laws.  She publishes and speaks extensively on these and other staffing and human resources, compensation and benefits, technology, health care, privacy, public policy, and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints

July 7, 2014

Employer and other health plan sponsors, administrators, insurers and their business associates should heed both the lesson about properly protecting health plan documents with protected health information and the more subtle lesson about the role of employees and other whistleblowers in bringing these violations to the attention of regulators contained in the latest Health Insurance Portability & Accountability Act (HIPAA) resolution agreement as well as act to manage their potential employment related liability to workforce members reporting these violations

HIPAA’s Privacy, Security and Breach Notification Rules generally prohibit  health plans, health care providers, health plans (Covered Entities) and their business associates from creating, using, accessing or disclosing protected health information except as allowed by HIPAA.  In addition, HIPAA requires covered entities both to meet detailed criteria for protecting electronic protected health information and also to take reasonable steps to protect all protected health information, as well as meet other business associate, breach notification, and individual rights requirements.

Parkview Resolution Agreement

Late last month, the Department of Health & Human Services Office of Civil Rights (HHS) announced that complaints of a retiring physician over the mishandling of her patient records by Parkview Health System, Inc. (Parkview) prompted the investigation that lead Parkview to agree to pay $800,000 to settle charges that it violated HIPAA’s Privacy Rule.

The resolution agreement settles charges lodged by HHS based on an OCR investigation into the retiring physician’s allegations that Parkview violated the HIPAA Privacy Rule by failing to properly safeguard the records when it returned them to the physician following her retirement.

As a covered entity under the HIPAA Privacy Rule, HIPAA requires that Parkview appropriately and reasonably safeguard all protected health information in its possession, from  acquisition to disposition.

In an investigation prompted by the physician’s complaint, OCR found that Parkview breached this responsibility in its handling of certain physician patient records in helping the physician to transition to retirement.

According to OCR, in September 2008, Parkview took custody of medical records of approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.

Subsequently on June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. OCR concluded this conduct violated the Privacy Rule.

To settle OCR’s charges that these actions violated HIPAA, OCR has agreed to pay the $800,000 resolution amount and to adopt and implement a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR.

HIPAA Violations Carry Significant Liability

As demonstrated by the Parkview resolution agreement, violation of HIPAA  can carry significant civil and potentially even criminal liability.  The criminal provisions of HIPAA as well as the express terms of the Privacy Rules require that covered entities and their business associates adopt and administer specific compliance programs and practices to provide to compliance with HIPAA and HIPAA’s breach notification rules and the Privacy Regulations may require self-reporting of violations when and if violations occur.  Since HIPAA includes potential criminal liability, violations of its provisions can trigger organizational liability for covered entities and their business associates.  Consequently, HIPAA compliance also generally should be part of the Federal Sentencing Guideline Compliance Program of every covered entity and business associate.

The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates.  In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.  Furthermore, enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

A series of supplemental guidance issued by the Department of Health & Human Services Office of Civil Rights (OCR) in recent weeks is giving health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates even more to do in reviewing and updating their policies, practices and training for handing protected health information (PHI) beyond bringing their policies and practices into line with OCR’s restatement and update to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act since the Omnibus Final Rule took effect on March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Meanwhile, the Omnibus Final Rule generally has required business associates have updated business associate agreements in place and otherwise to have come into compliance with all of the applicable requirements of the Omnibus Final Rule since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

Watch & Manage Whistleblower Liability From HIPAA Violations & Compliance

Beyond illustrating the potential HIPAA-associated penalties that can result from failing to comply with HIPAA, the Parkview resolution agreement also illustrates the risks that current or former workforce members and others acting as whistleblowers play in helping OCR to identify HIPAA violations.  HIPAA and most other laws prohibited covered entities from forbidding or retaliating against a person for objecting to or reporting the concern and offer whistleblowers potential participation in the reporting and prosecution of violations.  Beyond these specific federal HIPAA protections, state courts often recognize firing or otherwise retaliating against workforce members or others for exercising rights protected by HIPAA or other federal anti-retaliation statutes as a basis for a state whistleblower or other retaliatory discharge claim.  See, e.g. Faulkner v. Department of State Health Servs., 2009 U.S. Dist. LEXIS 22419 (N.D. Tex. Mar. 19, 2009).  See also Court Recognizes Retaliation For Filing HIPAA Privacy Complaint As Basis For Texas Whistleblower Claim.    With retaliation and other whistleblower complaints becoming increasingly common and judgments from these claims rising, covered entities and their business associates need to include appropriate employment liability risk management processes and procedures in their HIPAA compliance processes and coordinate carefully with their human resources team and qualified employment counsel to manage the employment liability related risks associated with investigations and discipline activities under HIPAA.  Concurrently, Privacy Officers also should ensure that their organization’s human resources team understands the HIPAA rules and spot and properly refers to the privacy officer for investigation statements or other activities that may indicate that a HIPAA compliance or retaliation concern needs investigation or redress to avoid missing potential exposures hidden in the human resources processes that could reflect a practice of tolerance or retaliation unacceptable to OCR.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


HHS Claims Average $69/Month Cost for Subsidized Coverage Shows ACA Success Challenged

June 18, 2014

The Department of Health & Human Services (HHS) is touting a new report available here released today that it says people who qualified for tax credits to buy health insurance coverage through the health insurance exchange who selected silver plans, the most popular plan type in the federal Marketplace, paid an average premium of $69 per month. In the federal Marketplace, 69 percent of enrollees who selected Marketplace plans with tax credits had premiums of $100 a month or less, and 46 percent of $50 a month or less after tax credits.   The balance of the cost of the coverage is covered via subsidies.  Other sources, however, say the data in the report raises concerns about the overall cost of the health care reform law and its impact on the total cost of coverage.

HHS says the report also looks at competition and choice nationwide among health insurance plans in 2013-2014.  HHS claims that the report shows most individuals shopping in the Marketplace had a wide range of health plans from which to choose. On average, consumers could choose from five health insurers and 47 Marketplace plans. An increase of one issuer in a rating area is associated with 4 percent decline in the second-lowest cost silver plan premium, on average.

While the HHS report by focusing on what subsidized individuals pay out of pocket spins the data to give the impression that the health care reform law is bringing down health care costs as promised, other sources say the data in the Report raises serious concerns about the overall cost of the health care reform law and the total cost of coverage.  While acknowledging that “the generous subsidies” helped consumers receiving subsidies, the Los Angeles Times reports these subsidies coupled with the massive enrollment by individuals qualifying for subsidies raise budgetary concerns.  According to the Los Angeles Times article, the reports shows the federal government is on track to spend at least $11 billion on subsidies for consumers who bought health plans on marketplaces run by the federal government, even accounting for the fact that many consumers signed up for coverage in late March and will only receive subsidies for part of the year.  However, this total does not count the additional cost of providing coverage to the 1/3 of the 8 million new people who signed up for coverage who bought coverage in states that ran their own marketplaces, including California, Connecticut, Maryland and New York.   While Federal officials said subsidy data for these consumers were not available, the Los Angeles Times estimated that if these state consumers received roughly comparable government assistance for their insurance premiums, the total cost of subsidies could top $16.5 billion this year, resulting in budgetary costs “far higher”  than the $10 million budgetary cost that the Congressional Budget Office projected subsidies would cost U.S. taxpayers in 2014. See  Obamacare subsidies push cost of health law above projections.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


HIPAA Compliance & Breach Data Shares Helpful Lessons For Health Plans, Providers and Business Associates

June 11, 2014

Health care providers, health plans and insurers, health care clearinghouses (collectively “Covered Entities”), their business associates, and others concerned about medical privacy regulations or protections should check out two new reports to Congress about breach notifications reported and other compliance data under the Health Insurance Portability & Accountability Act (HIPAA) by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).   Reviewing this data can help Covered Entities and their business associates identify potential areas of exposures and enforcement that can be helpful to minimize their HIPAA liability as well as to expect OCR enforcement and audit inquiries.  Smart covered entities and business associates will include review of these and other reports about compliance and enforcement by OCR and assessment of their processes against this information as a part of their HIPAA compliance and risk management practices.

Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the two new reports discuss various details about HIPAA compliance for calendar years 2011 and 2012.  They include the following:

  • Report to Congress on Breach Notifications, discussing the breach notification requirements and reports OCR received as a result of these breach notification requirements; and
  • Report to Congress on Compliance with the HIPAA Privacy and Security Rules, summarizing complaints received by OCR of alleged violations of the provisions of Subtitle D of the HITECH Act, as well as of the HIPAA Privacy and Security Rules at 45 CFR Parts 160 and 164 .
  • Covered entities and their business associates should review the finding reported as part of their compliance practices. Others concerned about medical or other privacy or data security regulations or events also may find the information in the reports of interest.

Under HIPAA, covered entities generally are prohibited from using, accessing or disclosing protected health information about individuals except as specifically allowed by HIPAA,  In addition, HIPAA also requires Covered Entities to establish safeguards to protect protected health information against improper access, use or destruction, to afford certain rights to individuals who are the subjects of protected information, to obtain certain written assurances from service providers who are business associates before allowing those service providers to use, access or disclose protected health information when carrying out covered functions for the Covered Entity, and meet other requirements.

The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates.  In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.

Enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the HITECH Act since March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


HHS Extends Proposed EDI Rule Time to 4/3 To Get More Input From Self-Insured Plans, TPAs

March 6, 2014

Third party administrators  (TPAs), self-insured health plans and concerned payers and plan sponsors now have a little more time to comment on the Department of Health & Human Services (HHS) proposed rule, “Administrative Simplification: Health Plan Certification of Compliance.”

HHS announced its extension to April 3, 2014 of the comment period today in specific hopes that it will receive additional comments from TPAs  and self-insured plans

The Certification of Compliance for Health Plans proposed rule is different from previous Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification regulations because it affects more and different types of entities.

For example, many third party administrators, self-funded health plans, and group health plans that have not been impacted by previous HIPAA Administrative Simplification requirements will be affected by this rule, even if they do not directly conduct HIPAA covered transactions.

As proposed, the proposed rule would require controlling health plans to submit documentation on or before December 31, 2015. It would also establish penalty fees for a controlling health plan that fails to comply with the Certification of Compliance requirements.

HHS says that the goal of the extension of the comment period is to provide these entities with time to understand and offer feedback on the business impacts of the Certification of Compliance proposed rule. HHS encourages these entities to submit feedback so that their comments and suggestions can be considered during the policy-making process.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


New OCR Guidance Assigns More HIPAA Homework Health Plans, Providers, Business Associates and Employers

March 5, 2014

Think your health plan, health care organization, health care clearinghouse or their business associates has health care privacy covered?  Think again.

A series of supplemental guidance issued by the Department of Health & Human Services Office of Civil Rights (OCR) in recent weeks is giving health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates even more to do in reviewing and updating their policies, practices and training for handing protected health information (PHI) beyond bringing their policies and practices into line with OCR’s restatement and update to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act since the Omnibus Final Rule took effect on March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Meanwhile, the Omnibus Final Rule generally has required business associates have updated business associate agreements in place and otherwise to have come into compliance with all of the applicable requirements of the Omnibus Final Rule since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


Dermatology Practice To Pay $150K To Settle Charges It Breached HIPAA Breach Notice Rule

December 26, 2013

A new settlement agreement announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) shows health plans, health care providers, health care clearinghouses and their business associates the perils of failing to properly implement the necessary policies and procedures to comply with the breach notification requirements added to the Health Insurance Portability & Accountability Act of 1996 (HIPAA) added by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

Private dermatology practice,, Adult & Pediatric Dermatology, P.C., (APDerm) has agreed to pay $150,000 and implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy,  Security, and Breach Notification Rules.  The APDerm Setttlement  marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act.

According to its December 26, 2013 announcement of the settlement, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The APDerm settlement provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On WebsiteIt joins the  growing list of settlement or resolution agreements under HIPAA announced by OCR.

The APDerm also is notable both as it settles the first ever charges against a covered entity for failing to adopt required Breach Notification policies and procedures and the relatively most settlement payment required in comparison to other announced settlement.  Other settlements have been significantly higher.  For instance,  OCR required that Blue Cross Blue Shield of Tennessee (BCBST) to pay $1.5 million to resolve HIPAA violations charges.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s audit,  investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, evolving rules and technology, and other developments to determine if additional steps are necessary or advisable. For tips, see here.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

For the past two years, Ms. Stamer has served as the  scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR.   Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here.

©2013 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press, Inc.   All rights reserved.


Careful Selection & Contracting With Vendors Critical Part of Health Plan Renewals

October 8, 2013

In the rush to finalize their health plan designs, contracts and documents for the upcoming 2014 plan year, employer and other health plan sponsors and fiduciaries should use care to review their insurance, broker, administrator and other health plan vendor agreements and vendor-provided plan documents, communications and processes to verify that vendor agreements and the plan designs, documentation, communications and processes they put in place appropriately hold service providers accountable, are legally compliant, appropriately tailored to defensably administer the plan in accordance with expectations, implement appropriate fiduciary and other performance and risk allocations and manage other exposures.

Many employer and other plan sponsors unknowingly expose themselves and management personnel participating in plan related decision-making to liability and costs by allowing costs or personality preferences to guide their vendor choices, rather than conducting a well-documented prudent review of their brokers and consultants, health plan insurers and  other service providers, their bonding and other credentials, and the vendor-recommended plan designs, documentation, communications, credentials and processes.

Careful Vendor Selection & Contracting Foundation of Health Plan Compliance & Risk Management

As an initial matter, employers or others selecting plan vendors generally need to credential service providers to manage exposures under the fiduciary responsibility rules of the Employee Retirement Income Security Act of 1974 (ERISA). The fiduciary responsibility rules of ERISA generally impose upon the employer, member of its management or other parties possessing or exercising discretionary authority or control over the selection of plan service providers or vendors legal responsibility for the prudent selection and oversight of the service providers, their bonding and other credentials. Failing to conduct and keep documentation of this critical review can expose those participating in the vendor selection process to personal liability if plan funds or administration are mishandled as a result of the improper selection and oversight of the vendor.

Second, even when a vendor has a great reputation and credentials, employers or others also should carefully review the plan documentation, agreements, and communications provided by their brokers, administrative services providers, insurers and other health plan service providers to confirm that these materials are legally compliant, properly reflect the plan sponsors’ expectations about the plan terms, costs, and obligations, and otherwise designed to protect the employer’s goals and interests.  While most plan sponsors and their management assume that the arrangements put in place by their broker, consultant or other service provider will take the necessary steps to properly document and implement the plan design, inadequacies in plan documentation, communications, administrative forms, processes and even plan design are common.

Even where plan vendors and advisors have the best of intentions, plan designs and documentation often fail to comply with applicable federal mandates, incorporate undesirable terms, or incorporate other provisions or deficiencies that unnecessarily leave the plan sponsor or members of its management exposed to avoidable fiduciary responsibility and liability for actions that the service provider is being paid to perform, exculpate vendors from liability for failing to competently perform responsibilities, expose the plan or its sponsors to unnecessary penalties or other costs, have other weaknesses that leave the sponsor or its management exposed to significant costs, liabilities or both.

For these reasons and others, employer and other plan sponsors should make time to conduct a well-documented documented review of the fiduciary eligibility, bonding and other credentials, services agreements, plan documentation, communications, processes, and procedures proposed by their health plan vendors before finalizing vendor selections and implementing those documents.

Credentialing & Vendor Contracting Tips

To help determine the scope of review and risk, most employer or other plan sponsors and their management will find it helpful to begin by critically evaluating the credentials and contracts of the health plan brokers, consultants and service providers.  This review should both verify these advisors have the bonding and other legal credentials to qualify to perform the role desired under ERISA, the scope of services and accountability undertaken by the service providers, and the responsibilities for which the employer or other appointing party will continue to bear for the proper documentation and administration of the plan after hiring these vendors.

The following are some basic guidelines that management or others making health plan vendor and design decisions generally will want to consider and document as part of their analysis when reviewing proposed health plan vendors and the plan designs, documentation, communications and procedures.

  • A formal background check performed with the consent of the service provider should prove that the service provider and all of its employees and agents should be qualified to serve in a fiduciary role, are not disqualified or under investigation or other action that would disqualify them to act as a fiduciary or be bonded as required by ERISA, have no material complaint or dispute history with current or former clients or vendors, the Department of Labor, Department of Insurance, Internal Revenue Service or other relevant authorities, and have appropriate licensure, certifications, experience and reputation.
  • The service provider and its employees should enjoy an excellent reputation, verified by both broad background checks and detailed reference checks with both current and former clients, including clients who are not necessarily on the official reference list provided by the prospective service provider.
  • The service provider, its team, processes and procedures should have a history and currently be financially and operationally sound with significant experience and ability in the area.
  • The service provider should possess and be able to provide appropriate documentation of licensure, bonding, certifications and other credentials.
  • Due diligence should verify that the service provider has the skill, equipment, staff, procedures, processes, qualifications and other capabilities to properly and reliably perform the tasks contemplated prudently and in accordance with applicable legal responsibilities.

Beyond credentialing the service provider and its personnel, a plan sponsor or other party participating in the selection of a service provider or its recommended plan designs or services also should critically review the proposed services agreement to verify that it properly protects the expectations and interests of the plan sponsor, its plan fiduciaries and other associated parties participating in the plan design and vendor selection process.  Among other things, a review of the contract generally should verify that the following criteria are met:

  • The contract should clearly document the scope of plan services that the service provider will provide under the agreement, the services that the service provider will not provide, and the services that the service provider only will provide at an additional charge, all charges and other requirements, and any other material expectations.
  • The contract should require the service provider to deliver plan services prudently in a manner that delivers the desired health benefits in a manner consistent with the purposes that justify the plan sponsor’s continued provision of the health benefits in accordance with the legal, operational, benefit and cost parameters applicable to the employer and its plan
  • The contract should provide plan services in a manner consistent with the plan sponsor’s overall plan design and related business practices.
  • The contract should deliver plan services in a manner consistent with the federal and state tax, labor, health care, contractual and other legal obligations applicable to the plan sponsor.
  • The contract should document the bonding, liability insurance, credentials and other qualifications of the service provider and require notification and appropriate recourse in the event of a material change in those credentials.
  • The contract should adequately minimize the exposure of the plan sponsor to legal liabilities arising from its participation in the contract, including fiduciary liability, vicarious liability, corporate negligence, and contractual liability.
  • The contract should establish and document the framework for an effective working relationship.
  • The contract should establish and document clear performance obligations applicable to the parties; the way compliance will be measured; and the consequences of any breach of those obligations.
  • The contract should incorporate the necessary provisions to fulfill the business associate agreement and other requirements concerning the creation, use, protection, access and disclosure of personal health information and other sensitive information about plan participants, beneficiaries and their costs needed to comply with the privacy and data security requirements of the Health Insurance Portability & Accountability Act privacy, security, breach notification, accounting and other individual rights, and business associate rules as updated in new regulations published in 2013 by the Office of Civil Rights.
  • The contract should provide access to necessary information including all records necessary to monitor and defend the plan, its design and administration, its compliance and prudent administration, including all disclosure, audit and reporting requirements.
  • The contract should define the breach notification and dispute resolution procedures, if any, that apply to disputes between the parties in a manner that does not unduly prejudice the plan sponsor’s ability to administer the plan; fulfill its legal obligations to covered persons and relevant regulators, or conduct other business activities.
  • The contract should clearly document the relationship between the standard plan provisions and the managed care procedures as well as fiduciary responsibility and accountability for, appropriately updated to comply with updated claims, appeals, and independent review organization requirements implemented since the enactment of the Patient Protection & Affordable Care Act,   This should include a discussion regarding the extent to which the plan’s standard utilization, precertification, and medical necessity review procedures, coverage limitations and exclusions, proof of loss, and other provisions or replaced for care obtained under the managed care plan, as well as procedures and liability for deficiencies in administration resulting in liability to contracted physicians under managed care contracts pursuant to state law, loss of discounts, penalties or stop-loss coverage resulting from errors in administration and other federal and state liability risks of the plan, its fiduciaries and the employer.
  • The contract should require a third party administrator (TPA_ ensure that its provider contracts do not contain terms or provisions (other than as intended by the plan sponsor) that would undermine the enforceability of the plan sponsor’s benefit design.
  • The contract should require the service provider to ensure that contracting providers understand that their entitlement to payment or benefits depends upon satisfaction of all applicable terms and conditions of the plan and incorporate procedures to ensure the enforceability of these commitments.
  • The contract should bind the service provider to change its procedures in response to changes in the law or regulations that may be adopted from time to time.
  • The contract, if applicable, should require prudent processes to verify eligibility, coordinate coverage and perform other required functions.
  • The contract should include terms that preserve the subrogation rights of the plan.
  • The contract should require the TPA to warrant its authority to bind contracting providers and other parties whose cooperation and performance is required under the contract as part of the package of services to be delivered under the TPA’s proposal.
  • The contract should require the service provider to warrant that its agreement with other contracting providers does not conflict with the terms of the contract and ensures that these related providers are bound to perform in the manner contemplated by the contract.
  • The contract should require the service provider to perform all duties to prudently and in accordance with the law and hold the service provider legally accountable for liabilities and costs resulting from its omission to do so.
  • The contract should incorporate all performance guarantees including suitable accountability for noncompliance.
  • The contract should keep the right of the plan sponsor or fiduciary to terminate the vendor where prudent or otherwise legally required to fulfill responsibilities without inappropriate restrictions inconsistent with legal or operational responsibilities.
  • The contract should require appropriate indemnification or other accountability for non-performance with legal or other requirements and expectations.
  • The contract should include appropriate provisions to preserve access to plan administration and associated data as necessary to monitor plan costs, make future design decisions, and administer the plan and associated responsibilities even in the event of a termination of the vendor relationship.

While the credentialing questions and processes don’t eliminate all health plan related risks, they can help eliminate and manage many common legal and operational risks that often arising from health contracts and can help position an employer and members of its management to mitigate other potential exposures.   The benefits of this careful credentialing and contract should be carried forward by careful crafting of plan documents and communications to match the allocations of responsibilities decided upon in the contracting process, the use of appropriate procedures to ensure that the appointed party handles those responsibilities and their associated communications, and the proper coordination of responses to potential problems in a manner that provides for defensible administration without blurring carefully crafted fiduciary and other role assignments.

In some instances, it may not be possible to secure the ideal contractual provisions.  When this occurs, the documentation of the negotiations and the analysis of the advisability of proceeding with the contract, including any prudent backup arrangements needed to justify continuation should be maintained.  Too often, brokers and consultants disparage contract negotiation and review recommendations of legal counsel by suggesting this is standard in the industry or that the request for negotiation and review suggests some lack of experience or other improper expectation by legal counsel or others suggesting the review.  Such suggestions should be carefully scrutinized.  While ideal provisions cannot always be obtained, it is rare that some improvement in the agreements is not possible.  Even where this progress is not obtained, however, existing judicial and Labor Department enforcement clearly shows that the process of prudent review and analysis of proposed vendors and services is a required and necessary element of the vendor selection process for which parties making the decisions may face liability if they cannot prove the selection or retention was prudently conducted.

For Help or More Information

 If you need help understanding or dealing with reviewing or negotiating your vendor agreements, or  with other 2014 health plan decision-making or preparation, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, HR.com, Insurance Thought Leadership, Solutions Law Press, Inc. and other publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations. She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications. Her widely respected publications and programs include more than 25 years of publications on health plan contracting, design, administration and risk management including a “Managed Care Contracting Guide” published by the American Health Lawyers Association and numerous other works on vendor contracting.  You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here .  You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Recent examples of these publications include:

For important information about this communication click here.

©2013 Cynthia Marcotte Stamer.  Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.


Exchange Enrollment Kicks Off Plagued By Government Shutdown, Other Challenges

October 1, 2013
Despite a showdown in Congress about health care reform’s future that threatens to bring funding of the U.S. government to a halt and a host of recent security and other concerns about the security and operational readiness of its enrollment platform and details of the implementation of the marketplaces in many states that will provide the offered coverage, the Obama Administration is touting today, October 1, 2013, as the first day that Americans can apply for enrollment in coverage offered through the health insurance exchanges that the Obama Administration prefers to refer to as “Marketplaces” slated to take effect under the Patient Protection & Affordable Care Act (ACA).

Obama Administration Touts October 1 Kickoff As New Age of Health Care

In a post shared across social media today,U.S. Department of Health and Human Services (HHS) Secretary Kathleen Sebelius announces, ” HealthCare.gov is open for business. Share this and let your friends and family know they can #GetCovered today at www.healthcare.gov!”   In yet another post, Ms. Sebelius proclaims:  See also http://www.hhs.gov/news/press/2013pres/10/20131001a.html.

“For the first time ever, today all Americans can begin shopping for quality health coverage that is affordable, and not be denied or charged more because they have a pre-existing condition.

The Health Insurance Marketplace is a new, simpler way for uninsured Americans and their families to purchase health insurance in one place.  Coverage begins as early as January 1, 2014 for people enrolling by December 15, 2013.   Today also marks the kick-off of outreach and enrollment activities in communities nationwide.  Enrollment events will take place in a variety of local settings including public libraries, churches, festivals, sports events, and community meetings.” 

Shutdown, Other Issues Raise Concerns

Ironically, while HHS continues to cheer its actions to implement ACA, a host of concerns cloud its implementation, including a federal government shutdown that also took effect October 1, 2013 as a result of a Congressional battle over the future of ACA and its funding.  Over the weekend, the Senate refused to approve legislation passed by the House that would have provided for continued funding of U.S. government activities while denying funding and delaying provisions of ACA.  Leaders in the Republican controlled House have indicated the House will not pass a budget without the carve out of funding and delay of ACA implementation.  The dispute means that Congress has not approved continuing funding from the U.S. budget of the monies necessary for continued operations of many government functions, including HHS support for implementation of ACA and its enrollment.  As a result, while HHS continues to bombard the media and social media with announcements touting enrollment, the main page of its website posts the following announcement in bright red text:

“Due to the lapse in government funding, only web sites supporting excepted functions will be updated unless otherwise funded.  As a result, the information on this website may not be up to date, the transactions submitted via the website may not be processed, and the agency may not be able to respond to inquiries until appropriations are enacted. …

ATTENTION – HIGH VOLUME OF MEDIA REQUESTS

We are experiencing a high volume of media requests about the Affordable Care Act and the Health Insurance Marketplaces. If you are a reporter, we have assembled these tools to help you:

  1. First try HealthCare.gov, which has comprehensive information about the Health Insurance Marketplace here.
  2. At the start of Open Enrollment, watch for media advisories for the Centers for Medicare & Medicaid Services’ regular operational updates for reporters. The first update will be held as a conference call on the afternoon of Oct. 1. HHS will post transcripts of these briefings in the HHS Newsroom.
  3. Email our media team here. If you have already contacted CMS’ media relations team, then HHS already has your request, and there is no need to email both agencies. Please be as specific as possible about your request and deadline.”

Beyond the government shutdown, other issues remain.  Last month, HHS released a HHS Office of Inspector General Report that raises concerns about the adequacy of the electronic security of the portal that will be used to register and apply for enrollment through the site.  See Observations Noted During The OIG Review Of CMS’s Implementation Of The Health Insurance Exchange—Data Services Hub.  A host of other problems and concerns also have been reported.  See e.g., Obamacare’s Insurance Exchange “Glitches” – The Foundry; Document Management Problems in New Insurance Markets Feds ; ObamaCare ‘glitch‘ watch: Exchange site posts error messages; D.C.’s Obamacare fail: Prices won’t work until NovemberObamaCare’s scope, rocky intro signals problems for Tuesday’s start.

As the January 1, 2014 promised commencement of coverage and individual mandates loomed, the Obama Administration’s delay of employer mandates while leaving individual mandate penalties against individuals who fail to purchase coverage, reports of employers cutting jobs, employee health coverage, or both, highly debated concerns about the cost, quality of coverage and other issues are fueling a showdown again in Congress, as many Americans grow increasingly concerned about what lies ahead.Are you concerned about whether health care reform preparations are on track or have other health care policy concerns.  With the debate continuing to rage, many individuals and employers are watching carefully, as the debate holds funding of other key aspects of government operations hostage.

Join the discussion about health care reform and share your input by joining Project COPE: Coalition for Patient Empowerment here.

About Project COPE: The Coalition On Patient Empowerment & Its  Coalition on Responsible Health Policy

Sharing and promoting the use of practical practices, tools, information and ideas that patients and their families, health care providers, employers, health plans, communities and policymakers can share and offer to help patients, their families and others in their care communities to understand and work together to better help the patients, their family and their professional and private care community plan for and manage these  needs is the purpose of Project COPE, The Coalition on Patient Empowerment & It’s Affiliate, the Coalition on Responsible Health Policy.

The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans.  The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch.  Americans can best improve health care by not waiting for someone else to step up:  Step up and help bridge the gap when you or your organization can. Speak up to help communicate and facilitate when you can.  Building health care neighborhoods filled with good neighbors throughout the community is the key.

The outcome of this latest health care reform push is only a small part of a continuing process.  Whether or not the Affordable Care Act makes financing care better or worse, the same challenges exist.  The real meaning of the enacted reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye.  Americans individually and collectively clearly should monitor and continue to provide input through this critical time to help shape constructive rather than obstructive policy. Regardless of how the policy ultimately evolves, however, Americans, American businesses, and American communities still will need to roll up their sleeves and work to deal with the realities of dealing with ill, aging and disabled people and their families.  While the reimbursement and coverage map will change and new government mandates will confine providers, payers and patients, the practical needs and challenges of patients and families will be the same and confusion about the new configuration will create new challenges as patients, providers and payers work through the changes.

We also encourage you and others to help develop real meaningful improvements by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. The Coalition For Responsible Health Care Policy provides a resource that concerned Americans can use to share, monitor and discuss the Health Care Reform law and other health care, insurance and related laws, regulations, policies and practices and options for promoting access to quality, affordable healthcare through the design, administration and enforcement of these regulations.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here .  You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Recent examples of these publications include:

For important information about this communication click here.

©2013 Cynthia Marcotte Stamer.  Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.


HHS Share Model HIPAA Notices 1 Week Before Deadline For Updating Business Associate Agreements

September 16, 2013

A week before the September 23, 2013 deadline for all health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates to have updated their business associate agreements to comply with the Final Omnibus HIPAA Rule, the Department of Health & Human Services Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) today (September 16, 2013) released Model Notices of Privacy Practices (Notices) for health care providers and health plans to use to communicate with their patients and plan members. With penalties and enforcement continuing to rise, Covered Entities and their business associates should take appropriate steps to review and update their privacy and breach notification policies and procedures, privacy officer appointments, notices of privacy practices, business associate agreements and other HIPAA compliance and risk management documentation, practices, procedures and coverage, breach notification and other HIPAA compliance and risk management practice.

Model HIPAA Notices

Developed collaboratively by ONC and OCR the Notices available here designed in the following three different styles are designed for users to customize to fit their specific needs and practices:

  • A notice in the form of a booklet;
  • A layered notice with a summary of the information on the first page and full content on the following pages; and
  • A notice with the design elements of the booklet, but that is formatted for full-page presentation.

Use of these model Notices is optional.  While the agencies designed the Notices to let Covered Entities to use these models by entering some of their own information into the model, such as contact information, and then printing for distribution and posting on their websites, Covered Entities should consult with legal counsel to determine the suitability of the Notices generally for their entity’s use and any customization, if any, that may be recommended or required to a Notice if the Covered Entity decides rely upon a model Notice to prepare its Notice of Privacy Practices.  To facilitate any tailoring, the agencies provided a text-only version for Covered Entities wishing only wish to use the content with or without tailoring.

September 23 Business Associate Agreement Update Deadline

September 23, 2013 also is the final deadline established in the Final Omnibus HIPAA Rule for Covered Entities and their business associations to update the business associate agreements required by HIPAA to reflect application of the breach notification, business associate, and many of HIPAA’s requirements to directly cover business associates and other aspects of the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted as part of the American Recovery and Reinvestment Act of 2009.  While HHS published a Sample Business Associate Agreement last June to aid Covered Entities and their business associates with understanding the business associate agreement requirements as impacted by the Omnibus Final HIPAA Rule, it also made clear that Covered Entities and their business associates should tailor their business associate agreements to fit their specific circumstances and relationships.  OCR National Office and regional officials speaking about their findings about past business associate agreement compliance have indicated that their audit and enforcement activities show widespread compliance issues among Covered Entities and business associates with the original business associate agreements.  OCR clearly expects Covered Entities and their business associates to address and resolve these compliance issues going forward.

Covered Entities and their business associates are increasingly at peril if caught violating HIPAA’s Privacy, Security or Breach Notification rules.  With the HITECH Act Breach Notification rules now requiring Covered Entities to self-disclose breaches, OCR becomes aware of breaches much more easily.  Coupled with the HITECH Act’s increase in sanctions for HIPAA violations, Covered Entities and, beginning September 23, 2013, their business associates face rising risks for violating HIPAA.  See, e.g. HHS Settles with Health Plan in Photocopier Breach Case; WellPoint Settles HIPAA Security Case for $1,700,000; Shasta Regional Medical Center Settles HIPAA Security Case for $275,000; Idaho State University Settles HIPAA Security Case for $400,000; and HHS announces first HIPAA breach settlement involving less than 500 patients.

In response to the updated Final Regulations and these expanding HIPAA enforcement and exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable.   In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For Help or More Information

If you need assistance responding to HIPAA or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement actions; with 2014 health plan decision-making, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer for help.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer is widely recognized for her extensive work, publications, and thought leadership on HIPAA and other privacy and data security issues.  Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer’s experience includes extensive work advising, representing and training health plan, health insurance, health IT, health care and other clients on HIPAA and other privacy, data protection and breach and other related matters and represents and advises these and other clients in responding to OCR Privacy and Civil Rights and other HHS agencies, Labor Department, IRS regulations, investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.  She also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications.

Beyond her HIPAA involvement, Ms. Stamer also continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, HR.com, Insurance Thought Leadership, Solutions Law Press, Inc. and other publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C. 

Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved.


[*] On January 24, 2013, the Department of Labor (the Department) issued guidance stating the Department’s conclusion that the notice requirement under FLSA section 18B will not take effect on March 1, 2013 for several reasons until further guidance setting the extended deadline was published.


Follow

Get every new post delivered to your Inbox.

Join 517 other followers