HR & Benefits Update

OCR Restructuring To Strengthen Rights of Conscience and Religious Freedom Rights Oversight and Enforcement

May 20, 2026

The U.S. Department of Health and Human Services (HHS) May 18, 2026 announcement of its reorganization of its Office for Civil Rights (OCR) signals employer and other health plan sponsors, health care providers and others funded or regulated by HHS experiencing discrimination or other conflicts with conscience or religious objections may expect greater protection from HHS, even as it warns federal health care exchange, Medicare and Medicaid Advantage health plans, and other health payers; health care providers; housing and education providers, states and other organizations and individuals receiving HHS funding to ensure their practices and policies comply with current HHS policies on federal conscience and religious freedom rights.

The reorganization of the HHS agency charged with enforcing HHS-administered laws protecting civil rights, conscience and religious freedom, and health information privacy and security, returns OCR to a program-based structure that reelevates conscience and religious freedom protection enforcement by realigning OCR into three distinct subject-matter divisions:

The Conscience and Religious Freedom Division,responsible for enfocing federal rights of conscience and religious freedom;
The Civil Rights Division, responsible for enforcing Section 1557 and other civil rights and disability laws implemented and enforced by HSS; and
The Health Information Privacy, Data, and Cybersecurity Division, responsible for implementing and enforcing the privacy, data security, data breach and privacy rights of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Genetic Information Nondiscrimination Act (GINA) and other privacy and data security requirements implemented and enforced by HHS.

Historical Background Leading To Reorganization

HHS originally established a separate OCR Conscience and Religious Freedom Division (CRFD) to handle federal enforcement of the nation’s laws that protect the rights of conscience and religious freedom protected under the United States Constitution and other federal laws in January 2018 during President Trump’s first presidency. That division enforced and raised public awareness of conscience and religious freedom laws in health and human services, underscoring that violations are serious infractions that transgress basic human dignity and fundamental rights.

CRFD operated until March of 2023, when the Biden administration dissolved the division in 2023. Although OCR maintained jurisdiction over conscience and religious freedom authorities in health and human services after 2023, the Biden Administration combined the Conscience and Religious Freedom Division and the then-Civil Rights Division into the Policy Division.

According to the announcement, the intake and processing of complaints filed with OCR, and the review of reported breaches involving unsecured protected health information, will continue to be handled by an Enforcement Division that supports centralized intake and field-office execution. The reorganization is not expected to result in a reduction of OCR’s workforce.The OCR reorganization announcement reports OCR will publish more information about the reorganization in a Federal Register notice next month. Scribe and stay tuned for more developments.

Reorganization Part of HHS Actions To Enhance Conscience Rights and Religious Freedom Protections

OCR intends for the reorganization to strengthen its enhanced efforts to protect federal rights of conscience and religious freedom undertaken in response to Trump Administration directives. OCR’s announcement responds builds upon the Trump Administration policy and HHS’ resulting recent efforts to enforce federally protected right of conscience protections and protect human life.

Since President Trump began his second administration, he has made protection of rights of conscience, freedom of religion and protection of human life policy priorities. See Fact Sheet: HHS Takes Comprehensive Action to Enforce Conscience Rights and Protect Human Life, and OCR’s conscience and religious freedom webpage. Since returning to office in January 2025, President Trump has issued several executive orders and presidential directives designed to expand protections for religious liberty, conscience rights, and faith-based participation in federal programs since beginning his second term in office by among other things:

Establishing the White House Faith Office within the Executive Office of the President and ordering all executive agencies to protect religious liberty, coordinate with faith-based organizations, and identify barriers affecting religious groups seeking participation in federal programs under Executive Order 14205;
Creating a federal “Task Force to Eradicate Anti-Christian Bias,” led by the Department of Justice and involving multiple agencies charged with reviewing federal policies, investigations, and enforcement activities allegedly discriminating against Christians or religious organizations. DOJ Task Force Report on Anti-Christian Bias and Religious Liberty;
Establishing the Religious Liberty Commission, declaring it federal policy to “vigorously enforce” protections for religious liberty under federal law, and directing the Commission to study threats to and recommend safeguards for religious exercise including conscience protections, free exercise rights, religious education, and the role of faith-based organizations in public life under Executive Order 14291; and
Proclaiming January 26. 2026, Religious Freedom Day, 2026.

OCR’s announced restructuring is part of a broader set of activities OCR is undertaking to strengthen its oversight and enforcement of conscience and religious freedom rights in response to these Trump Administration directives. Before announcing the restructuring, OCR already has taken enforcement action to protect health care workers, support whistleblowers, and reinforce adherence to religious and conscience exemptions in the Vaccines for Children Program as part of these policies. For example, OCR previously has:

Repudiated a 2021 Biden Administration era letter that excluded employers and plan sponsors from the scope of health care entities protected by the Weldon Amendment and notified states and other regulated entities no longer rely on the now-repudiated legal position;
Repudiated other Biden Administration era policies on reproductive rights, diversity equity and inclusion and other policies considered outdated or inconsistent with the Trump Administration’s interpretation of federal conscience and religious freedom rights;
Issued public notices describing OCR deregulatory actions to align with President Trump’s E.O. 14182, Enforcing the Hyde Amendment;
Issued a nationwide Dear Colleague Letter explaining OCR’s right of conscious policy under the Trump Administration;
Issued a Notice of Violation that found an Illinois state law violated the Weldon and the Coats-Snowe Amendments, which are among two dozen federal health care conscience protection statutes that HHS enforces. The Illinois Notice of Violation charges the Illinois law unlawfully ties health care provider conscience protections to referral requirements in the case of abortion;
OCR announced its investigation of 13 states for allegedly violating the Weldon Amendment federal health care conscience law by coercing health care entities, health insurers, and employers and their health plans to provide coverage of, or pay for, abortion contrary to conscience;
To educate the public, OCR also released a nationwide Dear Colleague Letter summarizing federal health care conscience protection statutes, including those laws specific to abortion, sterilization, and assisted suicide; and
Undertaken high profile investigations and enforcement actions against academic medicine and other health, education or other HHS funding recipients perceived to have discriminated or violated rights of conscience or religious freedoms of individuals of Christian or Jewish faith.

OCR’s announcement of the reorganization makes clear it intends for the reorganization to strengthen its ability to enforce these and other interpretations and policies for the protection and defense of rights of conscience and religious freedom in accordance with the Trump Administration directives. The announcement quotes HHS Office for Civil Rights Director Paula M. Stannard as saying, “This reorganization reinstitutes a structure that rightly prioritizes civil rights and conscience and religious freedom alongside health information privacy and security,” and that “All three areas are deserving of subject-matter expertise and distinct senior executive leadership for OCR to best serve the American people.” HHS’ announcement also states the reorganized structure will improve OCR’s effectiveness and efficiency to advance the protection of conscience rights, address race-based discrimination in a color-blind manner, eradicate antisemitism and anti-Christian bias, and restore biological truth.

Given the current emphasis of OCR and other federal agencies on protection and enforcement of federally protected rights of conscience and religious freedom under current Trump Administration policies, employers, health care providers, health insurers and plans, academic medicine and other education, housing and other entities funded or participating in HHS programs specifically should contact qualified legal counsel for assistance in evaluating and ensuring that their policies and procedures properly align with OCR right of conscience and religious freedom enforcement policies. Along with generally reviewing policies or practices that might raise right of conscience or religious discrimination or freedom concerns, these entities also should tread carefully and seek the assistance of legal counsel with identifying and responding to requests or other potential right of conscience, religious discrimination, or religious freedom concerns arising in their dealings with employees, service providers, customers and others.

Meanwhile employer and other plan sponsors and other organizations that feel that they are suffering discrimination or other violations of their rights of conscience or religious freedom may wish to evaluate their ability to secure accommodations or other relief under the religious freedom and right of conscience policies from HHS or other applicable federal agencies, the courts, or both.

For Help or More Information

The author of this update, Cynthia Marcotte Stamer has decades of experience advising and assisting health industry clients to design, audit, and defend their organizations and practices including conducting audits and investigations, designing and updating compliance and risk management programs, responding to government investigations, conducting transaction, governance, and other due diligence, and assisting with other legal and operational compliance and risk management and legislative and regulatory affairs. She is available to assist your organization in assessing the impact of these developments and navigating the compliance and strategic steps that follow. For more information about these or other health care, managed care and other health benefits, or other health industry laws or concerns, contact Ms. Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel and a Martindale-Hubble “AV-Preeminent” (Top 1%) attorney and advisor board certified in labor and employment law by the Texas Board of Legal Specialization peer peer celebrated as “Top Rated Lawyer” and “LEGAL LEADER™ “Top Rated Lawyer” and “Best Lawyer” for her work in ERISA & Employee Benefits Law, Health Care Law, Labor and Employment Law, and Business and Commercial Law.

Nationally recognised for her decades of leading edge health and other employee benefits and insurance, compensation, human resources and other management work, public policy leadership and advocacy, coaching, teachings, and publications, Ms. Stamer is well known for her decades of pragmatic, leading edge work, scholarship and thought leadership on health benefit and other health and managed care, privacy and data security and other employee benefit, insurance, and health industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a a key focus of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Her experience includes more than 35 years of leading edge work for employer and other plan sponsors, plans and their fiduciaries, insurers, third party administrators, health care clearinghouses and other health care, insurance and other data and technology providers, and others on health and other employee benefits design, administration, compliance, and policy including decades of work on fiduciary compliance and risk management; eligibility, coverage and other plan mandates; administrative simplification and transparency; PBM, pharmacy and pharmaceutical management and regulation; surprise billing and other non-par provider; direct provider, vendor and other credentialing, contracting and management; and other managed care and insurance; high deductible, minimum or level premium, captive and other non traditional funding; and agency and private audits, investigations and enforcement; and other insured and self-insured health benefit contracting, design, administration, regulation, fiduciary and other liability managment, and other design, compliance, risk management, defense, and operations solutions.

She also has extensive experience helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Section 504, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Department of Insurance, Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, trucking, alcohol and firearm, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Former lead advisor to the Government of Bolivia on its Social Security Privatization reform, miss Stamer also has extensive legislative and regulatory affairs experience on federal, state and international employee benefits, healthcare, workforce, education, insurance, data privacy and security, antitrust, and other regulations and reforms.

In addition, Ms. Stamer contributes her time and leadership to numerous policy, professional, civil and other organizations, Ms. Stamer currently or previously served as the Scribe leading annual agency meetings on HIPAA and other issues with the Department of Health and Human Services; leadership Council Representative, speaker, author and faculty lead for the American Bar Association (“ABA”) Joint Committee on Employee Benefits; the ABA International Section International Employment Law Committee and International Life Sciences Committee Chair; the ABA Tort Trial and Insurance Practice Section Medicine and Law Committee Chair and Employee Benefits and Worker’s Compensation Committees Vice Chair; the ABA Health Law Section Managed Care & Insurance Interest Group Chair and Risk Management Interest Group Chair; the ABA RPTE Employee Benefits & Other Compensation Group Chair and Welfare Benefit, Fiduciary Responsibility, and Plan Terminations and Transactions Committees Chair; Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association; a Southwest Benefits Association Board Member; a SHRM Consultants National and Region IV Board Chair; WEB National Board Member and Dallas Chapter President; National Kidney Foundation of North Texas Board Member and Compliance Chair; Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency Board President; a North Texas United Way Long Range Planning Committee Member; and other leadership involvement in a broad range of other professional and civic organizations.

Author of hundreds of highly regarded works on health and other benefits, human resources, health care, insurance, data privacy and security and other related concerns, examples of these publications include “Transparent PBM Contracting,” “ACOs, Direct Contracting: Legal & Practical Challenges For Employers, Providers & TPAs,” “The Medicare Advantage Contracting Manual,” “Third Party Administrator (TPA) Contracting Principles and Strategies and a multitude of other publications and presentations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

Leave a Comment » | Civil Rights, Discrimination, health Care, Health Plans, HHS, HIPAA, Medicaid, Medicare Advantage, Medicare Part D, OCR, Public Policy, religious accommodation, Religous Discrimination, RIghts of Conscience and Religious Freedom, Section 1557 | Tagged: duty-to-accommodate-religion, Health, HHS, history, news, OCR, politics, Religion, religious-discrimination, religious-freedom, right-of-conscience | Permalink
Posted by Cynthia Marcotte Stamer

New California SB 497 90-day Retaliation Presumption Highlights Risk Employers Everywhere Face When Performance Issues Appear Only After Protected Activity

May 19, 2026

California’s SB 497 gives employees a statutory advantage in certain retaliation claims by creating a rebuttable presumption when prohibited employer action occurs within 90 days of protected activity under Labor Code sections 98.6 and 1197.5. California Legislature. For employers everywhere, however, the larger lesson is not limited to California or to a 90-day window. Retaliation claims become harder to defend whenever performance concerns first appear, escalate, or become formally documented only after an employee reports misconduct, complains about unlawful practices, discusses wages, invokes workplace rights, or engages in other protected activity.

SB 497’s New Presumption Changes the Litigation Starting Point in California

SB 497 amended California Labor Code section 98.6 to provide that if an employer takes action prohibited by that section within 90 days of protected activity, “there shall be a rebuttable presumption in favor of the employee’s claim” .California Labor Code section 98.6. Section 98.6 protects employees and applicants from discharge, discrimination, retaliation, or adverse action for exercising specified Labor Code rights, including wage complaints, Labor Commissioner proceedings, and PAGA-related activity California Labor Code section 98.6.

SB 497 also amended Labor Code section 1197.5 to apply a similar 90-day rebuttable presumption to retaliation claims involving equal pay and wage transparency rights. California Labor Code section 1197.5. Section 1197.5 prohibits retaliation against employees for invoking or assisting enforcement of California equal pay rights, and it protects employees who disclose, discuss, or inquire about wages. California Labor Code section 1197.5.

Why Post-Complaint Performance Documentation Is Risky

The most common employer defense to retaliation charges is that the challenged action was based on performance, misconduct, attendance, or business needs. That defense is strongest when the employer can show consistent documentation, prior coaching, objective standards, and comparable treatment of similarly situated employees.

It is much weaker when the record looks different before and after protected activity. If the employee had positive reviews, no written warnings, tolerated deficiencies, or informal coaching before the complaint, and then suddenly receives heightened scrutiny, a PIP, discipline, suspension, or termination afterward, the employee will argue that the employer went looking for a reason to act.

That concern is not theoretical. In Lawson v. PPG Architectural Finishes, Inc., the California Supreme Court shot down the employer’s poor performance defense. The employer cited poor performance and failure to improve under a performance improvement plan, but the California Supreme Court held that Labor Code section 1102.6 governs section 1102.5 whistleblower retaliation claims and does not require the employee to prove the employer’s stated reason was pretextual. Lawson v. PPG Architectural Finishes, Inc. Once the employee shows protected whistleblowing was a contributing factor, the employer must prove by clear and convincing evidence that the same action would have occurred for legitimate, independent reasons even absent the protected activity Lawson v. PPG Architectural Finishes,

The Same Defense Challenge Exists Outside California

Federal law does not generally impose California’s SB 497-style 90-day presumption. Still, timing remains important. The U.S. Supreme Court has recognized that temporal proximity may support causation when it is “very close,” while also holding that an employer need not suspend a previously planned action after learning of protected activity. Clark County School District v. Breeden.

Title VII retaliation claims require proof that retaliation was a but-for cause of the challenged action, not merely a motivating factor. University of Texas Southwestern Medical Center v. Nassar. Even so, close timing, shifting explanations, uneven enforcement, and documentation created only after protected activity can create the factual disputes that make retaliation claims expensive to defend.

Bottom Line for All Employers

California’s 90-day presumption makes covered retaliation claims easier for employees to frame, but it does not create the underlying problem. The real exposure arises when the employer’s performance narrative begins only after protected activity. Employers that want to preserve defensible discipline should build the record before conflict arises, apply standards consistently, and require careful HR and legal review before taking adverse action close in time to protected conduct.

Practical Steps Employers Should Take

Employers do not have to ignore performance issues because an employee complained or engaged in protected activity. They do, however, need to prove that the decision was legitimate, consistent, and independent.

Document issues when they happen: Do not wait until after a complaint to document missed deadlines, quality issues, attendance problems, policy violations, or conduct concerns.
Audit timing before adverse action: Before discipline, termination, demotion, schedule reduction, compensation changes, or a PIP, check whether the employee recently engaged in protected activity.
Separate the complaint process from discipline: Where possible, keep the complaint investigator separate from the performance decisionmaker.
Confirm decisionmaker knowledge: Identify who made the decision, what they knew, when they knew it, and what evidence supported the action.
Use objective criteria: Tie discipline to measurable standards, written policies, documented expectations, and specific incidents.
Compare similar cases: Review how the employer handled similar performance or conduct issues involving employees who did not engage in protected activity.
Avoid sudden escalation: If the same issue was tolerated before protected activity, explain and document what changed.
Review PIPs carefully: A PIP issued after a complaint should be realistic, job-related, supported by prior evidence, and free from retaliatory tone.
Train managers: Supervisors should understand that complaints, wage discussions, whistleblower reports, accommodation requests, safety reports, and participation in investigations may be protected.

If you have questions about or need assistance with these and other risk management or compliance concerns, contact the author.

For More Information

We hope this update is helpful. For more information about the or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefits Counsel and Board Certified in Labor and Employment Law by the Texas Board of Legal Certification, Cynthia Marcotte Stamer has more than 35 years experience, advising plan sponsors, fiduciaries, service providers and others about fiduciary responsibility and other employee benefit plan design, administration, risk management and compliance. i

Ms. Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law for her experience, scholarship, thought leadership and advocacy for 35 plus years of experience advising and representing, employers, employee benefit plans and their fiduciaries and administrators, their administrative services, technology and other business associates and other vendors, managed care and insurance, health care and other clients about these and other workforce, employee benefits, internal controls and other operations and compliance concerns.

Ms. Stamer is nationally sought out for her decades of leading-edge experience in the design, sponsorship, administration, and defense of workforce, health, severance, savings retirement and other employee benefit, workforce, insurance, healthcare, data and technology, and other operations to promote legal and operational compliance, reduce regulatory and other liability, and advance other operational goals. This experience includes decades of work on ERISA, Internal Revenue Code and other related labor and employment, insurance, corporate and securities, data privacy and security, licensing and other laws. She also sought out for her extensive speaking and publications on these and related concerns.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations including current or previous service as Employee Benefits Group Chair and a Substantive Groups Committee Member for the ABA Real Property Trusts and Estates (“RPTE”) Section and Chair of its Welfare Plan, Fiduciary Responsibility and Plan Terminations Committees; Chair of the ABA International Section International Employment Law Committee; Chair and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, Vice Chair of its Employee Benefits and Worker’s Compensation Committees; and Chair of the ABA Intellectual Property Section Law Practice Management and Special Technologies Committees; ABA Joint Committee on Employee Benefits (“JCEB”) Council Representative and Scribe for its annual agency meetings with the Department of Health and Human Services; International Section Life Sciences Committee Chair; Health Law Section Managed Care & Insurance Interest Group Chair; Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is valued and celebrated for her decades of policy advocacy and charitable, pro bono, community and other service and leadership to promote understanding and strengthening health care, workforce, saving, disability, aging and retirement and other key policies and challenges through her PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also often speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry, health and other benefits, workforce and other experience and involvements, see the Cynthia Marcotte Stamer P.C. website or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could change the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2026 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Leave a Comment » | 5000, ADA, HR, Human Resources, Insurance, Retail, Retaliation, Whistleblower | Permalink
Posted by Cynthia Marcotte Stamer

$17M IBM Settlement Adds DOJ False Claims Act Liability To Risks For Using DEI Practices

April 20, 2026

The $17 million False Claims Act settlement with technology giant IBM by announced April 10, 2026, using affirmative action or other disfavored diversity, equity and inclusion (“DEI”) practices creates added risks for federal government contractors and grant recipients beyond those U.S. businesses as a whole already face under the Trump Administration “merit based” interpretation and enforcement of federal Civil Rights laws as prohibiting DEI or other discriminatory decision making.

In the face of the IBM and other agency investigations and enforcements under the new merit based civil rights policy, all US businesses, generally, and government contractor specifically should seek the advice of qualified legal counsel on their potential exposure and options for mitigation of their exposure under the Trump merit based Civil Rights law interpretation and enforcement policy.

Affirmative Action & Other DEI Practices Under Attack

Government and private DEI practices have faced increasing challenges under a series of Supreme Court rulings that interpret the 14th Amendment as prohibiting affirmative action and other government required or applied race based hiring and other preferences except where adopted and tailored to redress a proven specific past discrimination harm. See e.g., Students for Fair Admissions v. President and Fellows of Harvard College, 600 U.S. ___ (2023); Adarand Constructors, Inc. v. Peña, 515 U.S. 200 (1995); Ricci v. DeStefano, 557 U.S. 557, 579–80 (2009). While the Court rulings since as early as 2009 indicated racial or other DEI preferences were allowed only to redress a past history of discrimination, federal regulators and many courts applied these holdings in a manner that presumed or required little evidence of specific discrimination to uphold DEI practices. Consequently, federal regulations and enforcement encouraged if not required broad adoption of these practices for decades.

The Supreme Court cast the dye for change with its ruling in Students for Fair Admissions, that race-conscious admissions programs at Harvard University and the University of North Carolina violated the Equal Protection Clause and, as applied to recipients of federal funds, Title VI of the Civil Rights Act of 1964 (42 U.S.C. § 2000d). Rejecting the universities’ diversity rationales as insufficiently measurable and not narrowly tailored, the Supreme Court in Students for Fair Admissions ruled that racial classifications are presumptively invalid and must meet strict scrutiny with clear endpoints and individualized consideration to overcome that presumption of invalidity. Its holding and reasoning as applied to the facts leave little room for legal defense of DEI practices in education, government contracting, employment and other practices historically using DEI strategies absent a specific remedial justification tied to proven discrimination. See also Ricci v. DeStefano, 557 U.S. 557 (2009).

President Trump reacted to the Students for Fair Admissions and other Supreme Court rulings banning DEI policies in a series of Executive Orders upon beginning his second Presidency. See, Exec. Order No. 14148, Ending Radical and Wasteful Government DEI Programs and Preferencing, 90 Fed. Reg. ___ (Jan. 20, 2025); Exec. Order No. 14149, Restoring Merit-Based Opportunity and Ending Illegal Discrimination, 90 Fed. Reg. ___ (Jan. 20, 2025); Office of Mgmt. & Budget, Memorandum M-25-13, Initial Guidance Regarding President Trump’s Executive Order on Ending DEI Programs (Jan. 21, 2025); U.S. Office of Personnel Mgmt., Guidance on Implementation of Executive Orders Eliminating DEI Programs in Federal Workforce (Jan. 2025); U.S. Dep’t of Justice, Memorandum on Civil Rights Enforcement and Prohibition of Race-Based Preferences (Jan. 2025); U.S. Dep’t of Defense, Directive on Removal of Diversity, Equity, and Inclusion Training and Programs (Feb. 2025); U.S. Dep’t of Educ., Dear Colleague Letter, Application of Federal Civil Rights Laws to Race-Conscious Policies Post-SFFA (Feb. 2025).

Upon taking office, President Trump in his January 21, 2025 Executive Order 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity (“EO 14173”) directed federal agencies to interpret and enforce the Civil Rights Act as requiring merit-based decisions without application of preferences for diversity, equity and inclusion,” (“DEI”), “affirmative action” or other favoritism to particular groups.

In Executive Order (“EO”) 14173, President Trump announced his interpretation of the equal protection and opportunity provision of the 14th Amendment of the U.S. Constitution, the Civil Rights Act of 1964 (“Civil Rights Act “), Section 1557 of the Patient Protection and Affordable Care Act of 1996 (“Section 1557”) and other federal civil rights laws as guaranteeing “merit-based” decision-making and prohibiting DEI, affirmative action and other non-merit-based race, sex, religious, national origin preferences. Consistent with this merit-based construction, President Trump ordered all federal agencies “to terminate all discriminatory and illegal preferences, mandates, policies, programs, activities, guidance, regulations, enforcement actions, consent orders, and requirements” and “to enforce our longstanding civil-rights laws and to combat illegal private-sector DEI preferences, mandates, policies, programs, and activities.”

On April 23, 2025, President Trump followed up on EO 14173 by ordering all federal agencies to stop treating disparate impact as a viable theory of liability in discrimination matters in Executive Order on Restoring Equality of Opportunity and Meritocracy.

In response to these directives, federal agencies abandoned decades of regulations and enforcement practices that encouraged if not required DEI practices to enforce a merit based decision making interpretation of federal civil rights laws that prohibits affirmative action and other DEI practices.

In response to President Trump’s Executive Orders, for instance, the Office of Federal Contract Compliance Programs (“OFCCP”) has abandoned regulations that for decades required federal contractors to demonstrate their affirmative action requirements effectiveness with a merit-only decision policy. See, Exec. Order No. 14173, Ending Illegal Discrimination and Restoring Merit-Based Opportunity, 90 Fed. Reg. 8633 (Jan. 21, 2025); U.S. Dep’t of Labor, Directive to OFCCP to Cease Enforcement of E.O. 11246 Affirmative Action Requirements (Jan. 24, 2025); Office of Federal Contract Compliance Programs, Director Catherine Eschbach, Letter to Federal Contractors Regarding Compliance with Executive Order 14173 and Wind-Down of Affirmative Action Programs (June 27, 2025); Office of Federal Contract Compliance Programs, Invitation to Voluntarily Report Compliance with Executive Order 14173 (2025).

Additionally, for employers generally, the Equal Employment Opportunity Commission (“EEOC”) revised its guidance to reflect that Title VII of the Civil Rights Act of 1964 (42 U.S.C. § 2000e-2) prohibits race-based employment decisions except in narrow circumstances, reinforcing a shift toward race-neutral strategies. See, e.g., Equal Employment Opportunity Commission, What You Should Know About DEI-Related Discrimination at Work (updated 2023–2024) (explaining that Title VII prohibits employment decisions motivated by race, even when framed as DEI initiatives). Meanwhile, the EEOC and the DOJ also sought to educate employees suffering job detriment from their employers’ DEI practices about their potential claims by jointly publishing a one-page technical assistance document, “What To Do If You Experience Discrimination Related to DEI at Work.”These actions are heightening Civil Rights discrimination risks for all employers for current or past DEI practices.

The DOJ’s weaponization of the FCA adds another significant DEI-derived risk for healthcare, education and government contractors. As reflected by a series of high profile agency actions initiated against educational and health care organizations using DEI practices announced in conjunction with or following President Trump’s DEI Executive Orders, federal health care and educational organizations participating in federal programs and federal government contractors face much greater risks from use of DEI practices beyond the general exposure of employers under the revised EEOC interpretation and enforcement policies. While initially these DEI enforcement policies targeted education and health care organizations participating in programs funded or managed by the Department of Education , the Department of Health and Human Services, or both, the IBM settlement makes clear these enforcement policies and risks now apply to federal government contractors and grant recipients as a whole.

Federal Government Contractor & Grant Recipient DEI False Claims Act Exposure

The first settlement announced by DOJ under the Civil Rights Enforcement Initiative announced in May, 2025, the IBM settlement with DOJ confirms DOJ is pursuing government contractors for using DEI practices under the False Claims Act (“FCA”).

On May 19, 2025, DOJ announced it would prosecute government contractors and other federal funds recipients under the Civil Rights Fraud Initiative for knowingly violating federal Civil Rights laws by using affirmative action, diversity, equity and inclusion, or other non-merit based (“DEI”) employment or other business preferences.

DOJ further clarified in subsequent guidance that DEI programs involving preferential treatment may violate statutes such as Title VI and Title VII, and that false certifications of compliance with those statutes may satisfy core FCA elements, including falsity and materiality. See, U.S. Dep’t of Justice, Guidance to Recipients of Federal Funding Regarding Unlawful Discrimination (July 2025).

DOJ takes the position that certain DEI programs expose federal contractors and grant recipients to liability under the FCA where those entities certify compliance with federal civil rights laws while maintaining practices the government views as involving unlawful race- or sex-based preferences.

In the Civil Rights Fraud Initiative announcement, DOJ stated that entities receiving federal funds that “knowingly violate[] federal civil rights laws” may be liable under the FCA because such violations can render certifications of compliance false and material to the government’s payment decisions. See U.S. Dep’t of Justice, Justice Department Establishes Civil Rights Fraud Initiative (May 19, 2025).

Government contractors targeted by DOJ for False Claims Act prosecution under its Civil Rights Enforcement Initiative face serious consequences as Civil Rights Act compliance is a condition of participation in federal programs. Since compliance with these requirements is a prerequisite to eligibility to bill or receive federal funds under federal programs, DOJ contends that billing the federal government or receiving funds under programs subject to these terms of participation for periods that the contractor are Grant recipient had DEI or other non-merit based practices constitutes making a false claim in violation of the False Claims Act.

Since announcing its FCA initiative, DOJ has encouraged whistleblower (qui tam) actions and signaled it was conducting active investigation and enforcement against federal funding recipients whose DEI policies allegedly conflict with federal nondiscrimination requirements of 31 U.S.C. §§ 3729–3733. See also U.S. Dep’t of Justice, Civil Division Memoranda on Civil Rights Enforcement and FCA Application (2025).

IBM Settlement Confirms DOJ FCA DEI Enforcement

The IBM settlement secured under DOJ’s Civil Rights Fraud Initiative confirms DOJ is pursuing government contractors for DEI practices.

On April 10, 2026 (publicly reported mid-April), DOJ announced that IBM agreed to pay approximately $17 million to resolve allegations that it violated the FCA by certifying compliance with federal anti-discrimination requirements in its government contracts while allegedly maintaining DEI practices that the government contended were discriminatory on the basis of race or sex. See U.S. Dep’t of Justice, IBM Pays $17 Million to Resolve Allegations of Discrimination Through Illegal DEI Practices (Apr. 10, 2026).

The DOJ IBM prosecution and resulting settlement reflect DOJ treats DEI programs as prohibited discrimination that can create FCA exposure where tied to contractual compliance obligations.

In its IBM prosecution, DOJ asserted that federal contractors must certify compliance with Title VII and related Federal Acquisition Regulation clauses as a condition of payment, and that knowingly maintaining noncompliant practices can render those certifications false and actionable under the FCA.

While IBM did not admit liability in the settlement, the DOJ sent a strong message to other government contractors to act to mediate their own exposure by repotting IBM received credit for cooperation, including early disclosures and remediation measures such as modifying or terminating the challenged programs.

As demonstrated by the announced IBM settlement, sanctions for False Claims Act violations are harsh. Along with potential criminal consequences for intentional or knowing violations, civil violations of the False Claims Act can result in treble damages and significant penalties, program exclusion or both.

Act Proactively To Mitigate Risks

The IBM settlement and other federal agency investigations and prosecutions sends a strong warning to Federal government contractors and federal grant recipients specifically and U.S. businesses generally to take proactive steps to mitigate their very real risk that their past and current DEI or other non-merit based employment and other policies.

With FCA enforcement now added to the employment discrimination enforcement risk government contractors face for challenged DEI practices, government contractors also must recognize their government contractor status puts them at a high risk of scrutiny due to the reporting and audit protocols used with government contracts and grants. When weighing the likelihood that their past or current practices will trigger scrutiny, government contractors are reminded that current and past certification and reporting facilitate the ability of DOJ and OFCCP to identify targets for enforcement under this new interpretation and enforcement of Civil Rights laws while sanctions secured through enforcement return significant revenue to federally constrained budgets.

Consequently, businesses generally and government contractors specifically should seek the assistance of qualified legal counsel to assess and mitigate their risk from past or current DEI initiatives in light of heightened litigation risk and federal agencies’s interpretation and enforcement of new Civil Rights merit based enforcement position. Organizations are encouraged to keep in mind that the sensitive nature of this investigation and analysis makes it critical that organizations conduct this analysis and their options for mitigation of liability within the scope of attorney. Client privileged to protect sensitive conversations and analysis from discovery.

If you have questions about or need assistance with these and other risk management or compliance concerns, contact the author.

For More Information

About the Author

Ms. Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on health and other employee benefits, insurance, healthcare, workforce, HIPAA and other data and technology and other compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Ms. Stamer has more than 35 plus years of experience advising and representing, employers, employee benefit plans and their fiduciaries and administrators, their administrative services, technology and other business associates and other vendors, managed care and insurance, health care and other clients about these and other workforce, employee benefits, internal controls and other operations and compliance concerns.

Ms. Stamer is nationally sought out for her decades of leading-edge experience in the design, sponsorship, administration, and defense of health, severance, savings retirement and other employee benefit, workforce, insurance, healthcare, data and technology, and other operations to promote legal and operational compliance, reduce regulatory and other liability, and advance other operational goals. This experience includes decades of work on ERISA, Internal Revenue Code and other related labor and employment, insurance, corporate and securities, data privacy and security, licensing and other laws. She also sought out for her extensive speaking and publications on these and related concerns.

About Solutions Law Press™

Comments Off on $17M IBM Settlement Adds DOJ False Claims Act Liability To Risks For Using DEI Practices | Affirmative Action, board of directors, Civil Monetary Penalties, Civil Rights, compliance, Corporate Compliance, EEOC, Employers, Employment, Employment Discrimination, Employment Policies, Government Contractors, government employer, government plan, health Care, Health Care Fraud, health insurance marketplace, health plan, HR, Human Resources, LEP, LGBT, Medicare Advantage, OFCCP, OFCCP, Race Discrimination, Retaliation, Risk Management, school, Schools, Sex Discrimination, Supreme Court, Whistleblower | Tagged: Corporate Compliance, Department of Justice, Employer, Employers, Employment, employment discrimination, false claims act, government contractor, Government Contractors, Health Care Provider, Human Resources, Labor Department, National Origin Discrimination, OFCCP, Whistleblower | Permalink
Posted by Cynthia Marcotte Stamer

Managing Evidentiary Consequences Of AI Use

April 8, 2026

Human resources and other business leaders, using or allowing workforce members to CHAT-GPT or other artificial intelligence (“AI”) tools to research, make decisions or to support other activities should ensure that their organizations and their teams understand and manage the resulting evidentiary consequences and responsibilities these activities create.

In today’s AI age, Human Resources directors and other business leaders in increasingly are encouraged to turn to AI tools for a quick understanding of the law, drafting of documents, and a host of other human relations and business functions traditionally performed with the assistance of legal counsel. Although AI tools can be valuable under the right situations and properly used, the use of AI tools, along side of or as a substitute for legal advice obtained within the scope of attorney client privilege can carry a number of inherent risks and challenges. Human Resources and other leaders and their organization should carefully evaluate and manage these consequences before using AI.

AI Searches May Be And Create Evidence

AI prompts, outputs, and related metadata often qualify as discoverable electronically stored information (“ESI”) in litigation, regulatory audits, and enforcement proceedings.

Under the Federal Rules of Civil Procedure, discoverable information includes electronically stored information (ESI”) relevant to claims or defenses. See Fed. R. Civ. P. 26(b)(1); 34(a)(1)(A). Once litigation is reasonably anticipated, organizations must preserve relevant ESI under Federal Rules of Civil Procedure. See e.g.,Hoffer v. Tellone, 128 F.4th 433 (2d Cir. 2025).

AI searches and other interactions and the information and other outputs they produce generally qualify as ESI for purposes of the Federal Rules of Civil Procedure, Federal Rules of Evidence, (hereafter collectively the “Federal Rules”) and comparable federal and state litigation procedural rules.

Likewise, federal and state regulatory and enforcement agencies tend to consider AI and other ESI evidence covered by document retention and discovery rules.

Where applicable, these Federal Rules and agency rules generally include AI and other ESI evidence organizations must preserve, identify, and subject to discovery or other production like traditional evidence in litigation and agency audits and investigations.

ESI evidence generally includes any data stored in electronic form—such as emails, texts, spreadsheets, social media, and Internet of Things (“IoT”) data. As broadly construed by the courts, courts already long have admitted:

Internet search histories;
Internal chats and Slack messages;
Draft documents; and
Deleted files.

AI searches are simply the next evolution of this evidence category. AI records and information considered ESI can include;

AI prompt histories;
Generated outputs;
Embedded AI-assisted drafts;
Platform logs (if accessible); and
Other records.

Organizations that fail to fulfill requirements for AI or other ESI early identification, data authentication and other requirements of Federal Rule of Evidence 902, the requirements of Federal Rule of Civil Procedure 37(e) regarding lost evidence, or other applicable requirements to preserve and produce ESI may result in sanctions, adverse inferences, and penalties under the Federal Rules. Similarly, organizations may incur evidentiary sanctions, regulator penalties, and other adverse consequences for failing to identify, retain and produce ESI from AI or other sources in government audits and investigations. Common sanctions include:

Monetary sanctions;
Evidence preclusion;
Adverse inference jury instructions; and
Other authorized sanctions.

See, e.g., Jones v. Riot Hosp. Grp. LLC, 95 F.4th 730 (9th Cir. 2024) (affirming dismissal as sanction for intentional destruction of ESI); Maziar v. City of Atlanta, No. 1:21-cv-02172, 2024 WL 197561 (N.D. Ga. June 10, 2024) (denying summary judgment and awarding fees based on loss of text messages); McBride v. Moore, No. 2:23-cv-02904, 2024 WL 1136429 (C.D. Cal. Feb. 23, 2024) (denying sanctions where ESI not shown lost or duty not triggered). Gregory v. State of Montana, No. 22-____ (9th Cir. 2024) (reversing sanctions imposed outside Rule 37(e); emphasizing Rule 37(e) as exclusive remedy for ESI spoliation); DR Distribs., LLC v. 21 Century Smoking, Inc., 513 F. Supp. 3d 839 (N.D. Ill. 2021) (recognizing financial prejudice from spoliation and awarding fees); Bistrian v. Levi, 448 F. Supp. 3d 454 (E.D. Pa. 2020) (Rule 37(e) provides exclusive framework for ESI spoliation); Fast v. GoDaddy.com LLC, 340 F.R.D. 326 (D. Ariz. 2022) (failure to preserve mobile device data warranted sanctions).

These and other related cases alert organizations that AI and other modern data sources are squarely within ESI. Courts treat AI, texts, mobile data, and app-based communications as discoverable ESI.

The precedent reflects that the best opportunity to position your organization to show the reasonability of the actions taken is through the existence and enforcement of policies before and during the use of the AI tool.ESI preservation obligations depend on foreseeability, control, and access to data. When deciding the consequences of the unavailability or failure to produce ESI, the determination regarding failure to take “reasonable steps” is fact-intensive. Of course, the failure to retain the documentation will be particularly likely to be found unreasonable where the party was under a statutory, regulatory, ethical, contractual, or other pre-existing obligation to preserve the evidence.

Also, courts require proof of intent to deprive before imposing the most severe adverse inference or dismissal sanctions, a lack of proof of intent to deprive the request requesting party of evidence does not mean there will not be consequences for the non-producing party. Negligent failure to retain and produce ESI and other evidence still carries consequences. Even without bad faith, courts may impose curative measures, fees, or evidentiary limitations.

Similarly, the U.S. Department of Justice Securities and Exchange Commission Department of Health and Human Services Office for Civil Rights Equal Employment Opportunity Commission and other federal and state government agencies are increasingly sophisticated in digital evidence collection.

Among other things, organizations should be prepared to routine and produce documentation and data obtained, utilized, or otherwise interacting with AI tools and it’s associated meta-data and other components to respond to litigation and regulatory request for a broad range of data and information. Optimally the data captured and retained should include, but it’s not necessarily limited to:

AI usage policies;
Employee and other agent AI interaction records;
Evidence of AI and other relevant governance and training; and
Data protection controls.

Consequently, failure to govern, identify, preserve and produce AI-generated and AI-assisted records appropriately can expose organizations to spoliation sanctions, adverse inference instructions, regulatory penalties, loss of privilege protections, and expanded liability exposure.

In recognition of the possibility that AI tool interactions may give rise to obligations to retain and produce ESI evidence created as a consequence of that interaction, or organization should work with legal counsel to develop an administer appropriate practices to monitor, identify, retain, manage, and where necessary produce this ESI evidence.

AI Tools Create Evidence

Beyond considering and meeting documentation and other evidently protection, preservation, and production responsibilities, organizations and their human resources and other leaders need to recognize that the use of the tool itself and its outputs creates evidence that may give rise to legal opportunities, risks, and obligations for the organization.

Organizations should keep in mind that the use of AI tools creates legal evidently risks because AI tools typically generate synthesized responses (not just links) that often incorporate user inputs into outputs that may reflect user intent, knowledge, biases and opinions, and decision-making. This often makes AI interactions particularly valuable evidence for:

Intent (e.g., “how to terminate employee without legal risk”) Knowledge (awareness of compliance obligations) State of mind (deliberate vs. negligent conduct);
Knowledge (awareness of compliance obligations);
State of mind (intentional, willful, or deliberate vs. negligent conduct)

The potential risks of this and other evidence is heightened by the fact that the evidence created may arise not only from the actions taken by the user of the AI tool, but also may be inherently built into the design of the AI tool itself or the databases or other reference materials that it accesses, not all of which may be transparent to the user or the organization that employs the user. These risks are further heightened when the AI tool use is not conducted internally within the organization by its employee, but rather is a tool utilized by a consultant or other third-party provider conducting activities of a sensitive nature on behalf of the organization, such as a recruiting company, investigation, company, or other service provider.

These unique characteristics of AI make it advisable that organizations recognize and manage potentially heightened exposures that employee or other agent use AI tools can produce for the organization in a wide range of sensitive areas.

Examples of queries that can become “smoking gun” evidence include but are not limited to:

In employment or other workforce administration searches, AI queries such as “How to terminate employee with medical condition,” ‘How to avoid claims when, terminating older, disabled, complaining, injured or other employee with protected status, or the like can be evidence of discriminatory or other adverse intent;” or “How to beat a union organizing campaign;”
Compliance & Regulatory searches such as “How to structure payments to avoid reporting requirements,” “HIPAA penalties for disclosure; searches about compliance or looking for compliance loophole; searches where company researched sanctions for noncompliance in areas involved in litigation or enforcement; or searches on risk management that could be evidence the organization saw but chose not to follow rules or standards or otherwise looked for or acted to circumvent compliance or disregarded interpretations less favorable to chosen challenged course of action;
Litigation or Other Defense Strategy searches or tools such as “How to defeat a whistleblower claim,” “Ways to minimize damages in lawsuit” “Protecting your assets from IRS or in bankruptcy,” “How to conceal” or How to hide” orthe like can harm the organization’s interest by showing adverse intent, willfulness, or other motive or state of mind;
Litigation case law, enforcement, argument drafting, or other actions that could reveal or provide insight on sensitive litigation strategies or their strengths or weaknesses;
Financial & Tax searches such as “Aggressive tax strategies unlikely to be audited,” or “contract terms to reclassify employee to contractor,” “Structure transaction to avoid disclosure” or the like; and
Other searches or tool uses that could reflect improper, intent, or document improper activities, such as how to hide evidence, how to create a bomb, how to poison somebody or that creates a record of conduct such as edits to revise data or documentation in reports or records, where the changes are tracked and retained.

Given these other risks, organizations should carefully consider and manage these and other risks when deciding whether, when, how and what AI tools their organizations allow their people to use, who gets to use what tools, designate and train those authorized to use these tools appropriately, and design and implement appropriate tools to track, capture, retain and manage these records of AI use and their implications. Optimally, the planning should identify and work to manage the creation and preservation of evidence and related AI ESI required or otherwise helpful to meet, applicable, regulatory, contractual, statutory, or other requirements in a manner that minimizes the creation of evidence that could call into question the compliance or other appropriateness of the organizations actors.

Privilege and Confidentiality Risks

Asking AI tools to answer legal questions or provide guidance in legal advice obtained within the scope of attorney. Client privilege also can enhance the exposure for the organization and it’s actors because of the implications of that Youts on the availability of attorney-client privilege for the activities and information obtained. Using AI tools and output also can have implications on the ability of an organization to protect legal advice and work product developed and shared within the scope of attorney privileges from discovery in judicial or regulatory actions. Organizations need to recognize risk to the confidentiality of legal advice or work product that entering sensitive legal questions or information into public AI tools not specifically designed and used outside the scope of the attorney-client relationship to avoid creating problematic evidence, disclosing discussions or work product that otherwise might qualify for protect against discovery in litigation or agency proceedings under the attorney-client privilege or attorney work product rules, or both.

Searches conducted by organization employees, consultants, or other agents or representatives about the law, strategies, or legal risks and consequences without or outside the scope of an attorney-client relationship generally can be discovered and used as evidence. Consequently, organizations should regulate the use by officers, directors, compliance officers, human resources directors, consultants, non-legal investigators and auditors and others of AI tools, internet or other searches to investigate the law or legal strategies independent of or outside the scope of attorney-client privilege.

Particularly risky scenarios include:

In-house counsel, Human Resources, risk management or compliance staff using public AI tools;
Employees seeking legal guidance outside approved channels;
Consultants, contractors, and other vendors use of AI in performing tasks or tools;
Embedded AI in software or other tools; or
Uploading contracts, PHI, or proprietary data into AI systems.

Additionally, organizations and others communicating or working with legal counsel on behalf of the organization within the scope of attorney-client privilege to design strategies or investigate or defend actions generally should not use AI tools to conduct their own legal research or analysis without authorization and direction of the legal counsel to avoid forfeiting attorney-client privilege and work product protections.

If the required confidentiality is preserved, the attorney-client privilege and work product privileges rules can protect confidential communications between a client and its attorney and work product prepared for risk management, defense or other purposes of the legal engagement against disclosure in litigation or other proceedings in many circumstances. However these protections are lost if the communication or work product is disclosed to or discussed with third parties outside the attorney-client relationship. Entering factual information, conducting legal searches, or using AI tools outside the attorney-client relationship, not specifically designed to preserve confidentiality, or both to draft or evaluate legal documents, research, drafts, or strategies generally is considered a third party disclosure that can waiver or undermine the privilege for the specific information input to the AI tool as well as potentially related communications or work product.

For these and other reasons, organizations and individuals generally should resist the temptation to use AI tools to evaluate legal strategies, advice or work product.

Trade Secret, HIPAA and Other Data Privacy and Use Exposures

Human Resources and other leaders also must keep in mind their organization’s responsibilities to respect other organizations, intellectual property, to safeguard the confidentiality and security of data, and their organization’s need to protect its own intellectual property.

AI tool enthusiasts promote AI tools as substitutes for legal advice and other paid services. While asking AI to write a “free” policy or contract may seem a great way to save legal or other consulting, licensing or other costs, human resources and other leaders and their organizations must keep in mind that not all data, information and resources obtained through a ChatGPT or other AI search is shareware. Most nongovernmental data bases, contractual firms, tools, templates and other materials accessed through AI searches are or incorporate materials owned or subject to copyrights or other intellectual property protections of third parties. Unlicensed use of these resources can expose their organizations to copyright and other intellectual property infringement liability.

Furthermore, human resources and other executives choosing to use materials drafted using AI tools or otherwise acquired off of the Internet or other sources without legal advice to recognize that acquired materials and resources may not be currently compliant, appropriately tailored to their use, or contain other deficiencies for utilization in their organizations. These deficiencies can arise from a number of sources. For one thing, the queries input by the user may not be sufficiently tailored to adequately represent all of the material considerations necessary to tailor he organizations, questions, and the AI response to the needs of the organization. Also, because AI databases often times include a broad range of historical data, AI responses may rely upon outdated, legal or operational presumptions incorporated into these historical policies when they no longer are appropriate for use in your organization. Additionally, the response of AI may draw from a wide range of sources, including many of which may be sample policies not drafted by qualified individuals with adequate expertise to fully understand the legal and operational implications of the policy and properly draft a policy appropriate for use in the organization, acquiring the form or materials off of the Internet.

Beyond suitability of the information where tool obtained through the AI search itself, unlicensed use of the response, may expose your organization to liability for violating other organizations or authors, intellectual property rights. AI searches can and often do access and incorporate data and other resources protected by third party copyright,trade secrets, HIPAA or other confidentiality, or other safeguards. Accordingly, accessing or using data bases, sample language or forms, or other materials without proper licensing or attribution may trigger liability to individuals and organizations for breaches of these intellectual property rights.

A separate concern arising from the use of AI tools in HR and other business operations to evaluate, formate or otherwise process sensitive data also creates potentially serious risks when theof these tools involves allowing the AI tool to access or uploading the confidential or other sensitive information into the tool. Human resources and other leaders must exercise care not to share inappropriately and to help their organizations use policies and processes to prevent their people’s use of AI tools to avoid violating statutory, regulatory or contractual confidentiality requirements, compromising confidential information, their own or business partner’s trade secrets, proprietary information and other intellectual property, or both.

Furthermore, uploading or sharing trade secrets, Health Insurance Portability and Accountability (“HIPAA”) protected health information, confidential employee, tax or other regulated information, trade secrets or other confidential or sensitive data into AI tools or searches without proper controls may itself breach of HIPAA, trade secret, federal or state privacy laws (e.g., biometric, consumer data laws) or other statutory, regulatory, ethical or contractual data privacy or confidentiality obligations. Additionally, allowing AI tools to access and interact with electronic data or systems frequently triggers data and systems security obligations under HIPAA, the Fair and Accurate Credit Transactions Act, Equal Employment Opportunity and other Human Resources and benefits data, electronic crimes, federal and state government contract, and a broad range of international, federal and state cybersecurity laws and regulations, and other government and private contractual and program participation, statutes, and regulations.

Given these concerns, organizations should avoid using AI tools that require uploading customer, financial, sales, or other data or information that the organization considers its own trade secrets or proprietary information into AI data bases or tools that do not adequately safeguard the ownership and confidentiality of that information.

AI Tool Hallucinations and Other Output Deficiency Risks

AI tools and the output they produce are not always reliable. Among other things, certain AI tools are known to:

Lack the ability to distinguish between more and less credible information sources;
Create plausible-sounding but entirely fabricated facts, news articles, legal authorities, or academic citations;
Create biased, false, incomplete, or inaccurate responses when models lack complete training data, are subjected to biased data, have limited context, ir under other circumstances;
Create false positives such as I dentifying a threat (e.g., in fraud detection) that is not actually present.
Fail to detect a real threat (e.g., in medical imagery) or report other false positives;
Fabricate non-existent, fake information or other incorrect or inaccurate information; and
Engage in hallucinations or other errors

The quality of the response, at best, often varies based on the quality and precision of the question asked. Lack of experience and careful structuring of the questions and inquiries made, lack of specialized knowledge necessary to structure the inquiry to be tailored to the specific needs at hand, and other limitations and concerns about the searches can undermine the accuracy, completeness and relevance of the AI tools output. Accordingly, response obtained by AI tools, often are unreliable and must be validated by a person experienced and skilled. The validation process should be conducted in such a matter that it preserves evidence that changes and responses are made based on thoughtful and reasonable determinations that the evidence obtained was not applicable or reliable, to minimize susceptibility to claims that decisions and actions were cherry picking based on improper intent rather than appropriate quality assurance processes. Organizations allowing the use of the tools and the individuals utilizing them need to understand and appropriately manage the very operational, legal in other risks of these deficiencies and error errors when utilizing AI tools.

Adopt And Enforce AI Policies To Manage AI Tool Use Responsibilities and Risks

Considering these and other responsibilities, human resources and other leaders and their organizations should use care to decide when, how, why, and by whom it allows AI tools to be used in or on behalf of its organization and provide appropriate steps to manage those uses in the resulting ESI to fill its legal obligations and manage its legal and operational risks. Because this process of itself could be evidence impacting, the organizations, legal exposures, organizations generally should work with qualified legal counsel within the scope of attorney-client privilege to work define and enforce policies and practices, to promote the organization’s legal and operational interests and manage the resulting legal obligations.

The author of this update, Cynthia Marcotte Stamer has decades of experience advising and representing governmental and private entities, AI and other technology, workforce and other legal and operational compliance, risk management and other operational and enforcement matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other legal, contractual or operational compliance or risk management, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with businesses domestically and internationally on employment, benefits, technology, data confidentiality, privacy, and security, and other Federal Sentencing Guidelines and other workforce management, regulatory and public policy and other legal and operational concerns.

Author of many highly regarded compliance, training and other resources on these and other operations, risk management, compliance and government affairs concerns, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.

In addition, Ms. Stamer currently or previously served as the American Bar Association (“ABA”) Joint Committee on Employee Benefits OCR annual agency scribe and a Council Representative, International Section International Employment Law Committee Chair and International Life Sciences and Health Committee Chair, ABA TIPS Medicine and Law Committee Chair, ABA Health Law Section Managed Care & Insurance Interest Group Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a host of other professional and civic leadership roles. She is a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on health care, leadership, governance, human resources, employee benefits, data security and privacy, insurance, and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2026 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on Managing Evidentiary Consequences Of AI Use | Accommodation, ADA, adea, Age Discrimination, Antitrust, Attorney-Client Privilege, board of directors, Brokers, Civil Monetary Penalties, Civil Rights, Claims, Claims Administration, compliance, conflict of interest, Corporate Compliance, corporate governance, Cybercrime, Cybersecurity, Data Breach, Data breach, Data Security, defined benefit plan, defined contribution plan, Department of Defense, DFAR, directors, Disability, Disability Discrimination, Disability Plans, Discovery, Discrimination, Diversity, Drug Testing, EBSA, Education, EEOC, Electronic Medical Record, Employee Benefits, Employee Handbook, Employer, Employers, Employment, Employment Agreement, Employment Discrimination, Employment Policies, ERISA, Evidence, Executive Compensation, Fair Credit Reporting Act, Fair Labor Standards Act, Federal Sentencing Guidelines, FICA, Fiduciary Responsibility, FLSA, FMLA, GINA, Government Contractors, government employer, government plan, group health plan, health benefit, health Care, health insurance, HIPAA, HIPAA, Hiring, Human Resources, I-9, Identity Theft, Internal Controls, Internal Investigations, Labor Management Relations, Leave, Licensing, Management, OFCCP, OFCCP, OSHA, Protected Health Information, Provider, provider contracting, Public Accommodation, Public Policy, Rehabilitation Act, Reporting & Disclosure, Retaliation, Risk Management, Safety, tpa, Union, Union certification, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

Labor Department “OSHA Cares” Initiative Warns Employers To Tighten Compliance

March 24, 2026

Employers should confirm their safety, injury reporting and other policies meet current Occupational Health and Safety Administration (the “Agency ”) recently amplified its “OSHA Cares” initiative.

While not a new regulation, the OSHA Cares initiative reinforces employer duties under the Occupational Safety and Health Act, 29 U.S.C. § 651 et seq. (“OSHA”).

OSHA Cares Initiative

Agency communications emphasize the agency’s role in helping employers ensure workers go home safely each day. See OSHA QuickTakes (Feb. 2026). The initiative’s promotion of compliance with required OSHA workplace postings and compliance assistance resources reflects the agency’s continued commitment to OSHA enforcement in keeping with campaign promises made by President Trump to protect worker safety. .

“OSHA Cares” reflects OSHA’s emphasis on prevention and proactive compliance. The initiative does not create new legal obligations but reinforces compliance expectations under the General Duty Clause, 29 U.S.C. § 654(a)(1), requiring employers to provide a workplace free from recognized hazards. Although framed as supportive, the initiative signals continued enforcement focus. OSHA may rely on the General Duty Clause and existing standards to cite employers that fail to address recognized hazards.

Noncompliance with either the General Duty Clause requirement to make the workplace safe or more specific workplace safety standards can trigger substantial employer liability. While penalty ranges are adjusted annually for inflation, projected ranges for 2026 include:

Serious / Other: up to ~$16,000 per violation
Willful / Repeat: up to ~$160,000 per violation
Failure to abate: daily penalties

Key Compliance Areas

Employers should assess and strengthen compliance in the key compliance areas of the initiative:

Workplace Poster Requirement: Employers must display the OSHA Job Safety and Health poster. See 29 C.F.R. § 1903.2.
Worker Participation: OSHA emphasizes employee involvement in safety programs. See OSHA Recommended Practices (2016).
Compliance Assistance Programs: OSHA promotes use of cooperative programs such as the On-Site Consultation Program and VPP.
Hazard Prevention: OSHA continues to focus on well-known preventable hazards such as falls and trenching.

Recommended Employer Actions

In response to the initiative, all employers immediately should:

Verify poster compliance and review safety policies.
Conduct documented hazard assessments and update training documentation.
Implement a Safety and Health Management System and consider OSHA consultation programs.
Document efforts to meet specific applicable standards as well as demonstrate efforts to comply with the general duty clause.
Document good-faith efforts to mitigate enforcement risk that demonstrate the employer’s efforts to identify and
correct hazards by specified deadlines and
provide certification of abatement as necessary.
Establish and consistently administer documented safety compliance.
Establish strict documented safety compliance reporting, investigation and response policies and practices.
Require immediate worker and management reporting of safety threats and injuries.
Establish and administer meticulous, documented process for investigation of accidents and injuries that provides both for timely redress of risks and injuries and reporting to the agency and worker’s compensation with appropriate legal support and pre planned use of attorney-client privilege and other evidentiary and risk mitigation tools.
Prohibit and take appropriate steps to prevent retaliation.
Create and maintain carefully crafted documentation.

If you have questions about this or other workforce or other compliance or risk management concerns, contact the author.

For More Information

About the Author

Ms. Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on health and other employee benefits, insurance, healthcare, workforce, HIPAA and other data and technology and other compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

About Solutions Law Press™

Comments Off on Labor Department “OSHA Cares” Initiative Warns Employers To Tighten Compliance | Child Safety, Civil Monetary Penalties, Corporate Compliance, Drug Testing, employee, Employer, Employers, Employment Policies, MSHA, OSHA, Retaliation | Tagged: Employers, occupational safety, OSHA | Permalink
Posted by Cynthia Marcotte Stamer

Trump’s HHS Rights Of Conscience Enforcement Protects Employer Health Plans, Insurers & Providers Against State Pro-Abortion, Other Conscience Rights Infringements

March 19, 2026

The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) is taking action to protect healthcare providers, health, insurers, employer, and other health plans and their sponsors and others from being penalized for refusing to cover or pay for abortion by states or other entities covered by the rights of conscience rules of the Weldon Amendment.

Plan sponsors, fiduciaries, administrators and insurers that have offered abortion or other reproductive rights coverage under pressure from Biden, administration or state agencies, threatening adverse consequences for not covering those procedures should reevaluate their options in light of the new guidance and adjust their design or administration accordingly.

On March 19, 2026, OCR announced its investigation of 13 states for allegedly violating the Weldon Amendment federal health care conscience law by coercing health care entities, health insurers, and employers and their health plans to provide coverage of, or pay for, abortion contrary to conscience.

The Weldon Amendment, among other things, prohibits federal, state, or local government discrimination against health care entities that choose not to pay for, or provide coverage of, abortion.

After it repudiated a 2021 Biden Administration era letter that excluded employers and plan sponsors from the scope of health care entities protected by the Weldon Amendment, OCR notified states and other regulated entities no longer rely on the now-repudiated legal position.

OCR Director Paula M. Stannard says, “Under the Weldon Amendment, health care entities, such as health insurance issuers and health plans, are protected from state discrimination for not paying for, or providing coverage of, abortion contrary to conscience. Period.”

OCR’s announcement builds upon the Trump Administration policy and HHS’ resulting recent efforts to enforce federally protected right of conscience protections and protect human life.

Over the past year, OCR initiated a host of policy revisions and investigations in furtherance of President Trump’s priorities of protecting rights of conscience and human life. See Fact Sheet: HHS Takes Comprehensive Action to Enforce Conscience Rights and Protect Human Life, and OCR’s conscience and religious freedom webpage.

Among other things, OCR has taken action to protect health care workers, support whistleblowers, and reinforce adherence to religious and conscience exemptions in the Vaccines for Children Program as part of these policies.

Earlier this year, OCR also issued a Notice of Violation that found an Illinois state law violated the Weldon and the Coats-Snowe Amendments, which are part of the two dozen federal health care conscience protection statutes that HHS enforces. The Illinois Notice of Violation charged the Illinois law unlawfully ties health care provider conscience protections to referral requirements in the case of abortion.

Along with the charges against Illinois, OCR also:

Issued three public notices describing OCR deregulatory actions to align with President Trump’s E.O. 14182, Enforcing the Hyde Amendment; and
Issued nationwide Dear Colleague Letter explaining OCR’s right of conscious policy under the Trump Administration.

That guidance rescinded and repudiated certain Biden Administration era policies that the Trump Administration viewed outdated or inconsistent with the law as construed and enforced by the Trump Administration.

To educate the public, OCR also released a nationwide Dear Colleague Letter summarizing federal health care conscience protection statutes, including those laws specific to abortion, sterilization, and assisted suicide.

In light of the new OCR emphasis on protecting rights of conscience against governmental, encroachment, as well actions of private healthcare or other organizations regulated or funded by OCR, as well as healthcare providers, health plans and insurers, their employer or other sponsors, and fiduciaries should evaluate their policies and practices.

Health plans, their employer and other sponsors, fiduciaries, and administrators that felt compelled to offer abortion or other reproductive services, Taylor vaccine policies, or engage in other conduct and violation of their rights of conscious should consult experienced legal counsel about the protections potentially available under the new policies of the Trump Administration and the required or recommended steps to take to revise their plans to defensively exercises rights.

Meanwhile, states, local governments, government contractors, and healthcare and other organization, subject to HHS write a conscious rules should reevaluate their policies regarding abortion, vaccination, and other reproductive rights in light of the new guidance to avoid violating the adjusted policies.

If you have questions about this or other health care concerns, contact the author.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

Comments Off on Trump’s HHS Rights Of Conscience Enforcement Protects Employer Health Plans, Insurers & Providers Against State Pro-Abortion, Other Conscience Rights Infringements | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Aetna $117+ Million False Claims Act Settlement Warning To ERISA Plan Sponsors & Fiduciaries

March 17, 2026

National insurer Aetna Inc., has agreed to pay $117,700,000 to resolve Federal allegations that it violated the False Claims Act by submitting or failing to withdraw inaccurate and untruthful diagnosis codes for its Medicare Advantage Plan enrollees in order to increase its payments from Medicare.

The settlement adds to the growing list of Justice Department enforcement actions and settlements involving leading Medicare Advantage insurers accused of defrauding or engaging in other prohibited conduct dealing with the Medicare program.

These and other payer-focused investigations, prosecutions and settlements alert employer and union sponsored health plans, their sponsors and fiduciaries of the advisability of using prudent processes to verify the compliance of their health insurance vendors or the accuracy of their charges or other data to comply with the Employee Retirement Income Security Act (“ERISA”) and protect themselves and their plans from other avoidable costs and liabilities.

MA Plan Violations

The Medicare Advantage (“MA”) Program, established under Medicare Part C allows Medicare beneficiaries to opt out of traditional Medicare and enroll in private health plans offered by insurance companies known as Medicare Advantage Organizations, or “MAOs.” The Centers for Medicare & Medicaid Services (“CMS”) pays MAOs a fixed monthly amount adjusted for various risk factors that affect expected health expenditures for the beneficiary. In general, CMS pays MAOs more for sicker beneficiaries expected to incur higher healthcare costs. To qualify for these “risk adjustments,” CMS requires MAOs to submit medical diagnosis codes to show their plans cover sicker patients.

The United States alleges that Aetna submitted inaccurate and untruthful patient diagnosis data to CMS in order to inflate the risk adjustment payments it received from CMS, failed to withdraw the inaccurate and untruthful diagnosis data, failed to repay CMS, and falsely certified in writing to CMS that the data was accurate and truthful. The settlement announced on March 12, 2026, resolves these allegations.

“The government pays private insurers over $530 billion each year to care for Americans enrolled in Medicare Advantage,” said Assistant Attorney General Brett A. Shumate of the Justice Department’s Civil Division. “We will continue to hold accountable insurers that knowingly submit inaccurate or unsupported diagnoses to improperly inflate reimbursement.”

The United States contends that, for payment year 2015, Aetna operated a “chart review” program in which it paid diagnosis coders to review medical records (also known as “charts”) and identify all medical conditions that the charts supported. Aetna relied on the results of those chart reviews to submit additional diagnosis codes to CMS to obtain additional payments. However, CMS and the Justice Department claim Aetna’s chart reviews did not substantiate some diagnosis codes previously reported by Aetna to CMS. Aetna did not delete or withdraw those diagnosis codes, which would have required Aetna to reimburse CMS. The Justice Department alleges that Aetna used the results of its chart reviews to identify instances where Aetna could seek additional payments from CMS while ignoring those same results when they indicated Aetna was overpaid.

The settlement also resolves further allegations that, for payment years 2018 to 2023, Aetna knowingly submitted or failed to delete or withdraw inaccurate and untruthful diagnosis codes for morbid obesity to increase the payments it received from CMS for beneficiaries enrolled in its MA plans. The medical records for individuals diagnosed as morbidly obese typically include one or more Body Mass Index (BMI) recordings. Aetna submitted or failed to delete inaccurate and untruthful diagnosis codes for morbid obesity for individuals whose recorded BMI was inconsistent with a diagnosis of morbid obesity, and these codes increased the payments made by CMS.

The civil settlement related to morbid obesity resolves a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that a defendant has submitted false claims for government funds and receive a share of any recovery. The qui tam case is captioned United States ex rel. Mary Melette Thomas v. Aetna Inc., et. al., number 24-cv-339 in U.S. District Court for the Eastern District of Pennsylvania. The settlement in this case provides for the whistleblower, a former Aetna risk-adjustment coding auditor, to receive a $2,012,500 share of the settlement amount.

The investigation and resolution of this matter illustrate the government’s emphasis on using the False Claims Act and other federal health care fraud laws to combat healthcare fraud. While traditionally these efforts have emphasized the investigation and prosecution of civil or criminal claims against health care providers, often at the urging or based on data provided by large health insurance payer entities contracted with Medicare, over the past year the Justice Department and Department of Health and Human Services Office of Inspector General (“OIG”) and state regulators have announced a growing series of False Claims Act and other health care fraud charges and settlements against Medicare Advantage, health insurance exchange and other major health insurers participating in Medicare programs.

For example, in January, 2026, the Justice Department announced Kaiser Foundation Health Plan Inc.; Kaiser Foundation Health Plan of Colorado; The Permanente Medical Group Inc.; Southern California Permanente Medical Group; and Colorado Permanente Medical Group P.C. (collectively “Kaiser”) agreed to pay $556 million to resolve allegations that they violated the False Claims Act by submitting invalid diagnosis codes for their Medicare Advantage Plan enrollees in order to receive higher payments from the government.

The Kaiser settlement resolved allegations that, from 2009 to 2018, Kaiser engaged in a scheme to increase its Medicare reimbursements by pressuring physicians to add diagnoses after patient visits through “addenda” to patients’ medical records. The United States alleged that Kaiser developed various mechanisms to mine a patient’s past medical history to identify potential diagnoses that had not been submitted to CMS for risk adjustment. Kaiser then sent “queries” to its providers urging them to add these diagnoses to medical records via addenda, often months and sometimes over a year after visits. In many instances, the United States alleged, the diagnoses added by the providers had nothing to do with the patient visit in question, in violation of CMS requirements.

The United States further alleged that Kaiser set aggressive physician- and facility-specific goals for adding risk adjustment diagnoses. It alleged that Kaiser singled out underperforming physicians and facilities and emphasized that the failure to add diagnoses cost money for Kaiser, the facilities, and the physicians themselves. It also alleged that Kaiser linked physician and facility financial bonuses and incentives to meeting risk adjustment diagnosis goals.

The United States alleged that Kaiser knew that its addenda practices were widespread and unlawful. Kaiser ignored numerous red flags and internal warnings that it was violating CMS rules, including concerns raised by its own physicians that these were false claims and audits by its own compliance office identifying the issue of inappropriate addenda.

The Kaiser civil settlement includes the resolution of certain claims brought in lawsuits under the qui tam or whistleblower provisions of the False Claims Act by Ronda Osinek and James M. Taylor, M.D., former employees of Kaiser. Under those provisions, private parties are permitted to sue on behalf of the United States and receive a portion of any recovery. The qui tam cases are captioned United States ex rel. Osinek v. Kaiser Permanente, et al., No. 3:13-cv-03891 (N.D. Cal.) and United States ex rel. Taylor v. Kaiser Permanente, et al., No. 3:21-cv-03894 (N.D. Cal.). The relator share of the recovery totaled $95 million.

While the number of settlements and prosecutions against health insurance entities remain relatively small, Medicare Advantage and other health insurance organizations or their affiliates contracted with Medicare’s also have faced a myriad of other False Claims Act or other charges of misconduct. See e.g., Troy Health, Inc. Enters Non-Prosecution Agreement and Admits to Fraudulently Enrolling Medicare Beneficiaries and Identity Theft; Executive Vice President Of Insurance Brokerage Pleads Guilty In $133M Affordable Care Act Fraud Scheme; Health Plus Was Excluded for 10 Years for Failing to Supply Payment Information Required in an OIG Subpoena.

Health Plan Sponsor & Fiduciary Implications

Coupled with the OIG’s recent addition of health care payer-focused projects to its latest compliance plan, however, these prosecutions and settlements should warn health care payers to tighten their controls and other compliance while signaling the advisability of tighter scrutiny of payer vendors by employer and other private health program sponsors and fiduciaries.

Employer and other plan sponsors face obvious financial risks from inappropriate vendor charges and actions. Because ERISA’s duty of prudence obligates plan fiduciaries to act prudently to protect plan assets and provide for proper administration of the plan, health plan fiduciaries also risk personal liability for failing prudent due diligence, contractual, audit, oversight, enforcement and requires plan fiduciaries to prevent plan losses and administrative errors arising from these and other vendor misconduct and performance deficiencies.

If you have questions about this or other health care concerns, contact the author.

For More Information

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Aetna $117+ Million False Claims Act Settlement Warning To ERISA Plan Sponsors & Fiduciaries | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Discount Tire Ruling Warns Benefit Plan Sponsors, Leaders & Other Fiduciaries To Ensure Appropriate Plan Investment Monitoring

March 7, 2026

Recent fiduciary litigation clearly warns employer and other plan sponsors, plan committees and corporate officials, trustees and other service providers, and others involved in plan-related decision-making to ensure a well‑documented prudent fiduciary process for selecting and monitoring plan investments, selecting and overseeing service providers empowered to make or influence these decisions, and making other plan decisions.

The Employee, Retirement Income, Security Act (“ERISA”) requires “fiduciaries” to act prudently when making investment decisions, selecting and supervising parties to make investment decisions, or making any other fiduciary decision. See ERISA §404(a)(1)(B), 29 U.S.C. §1104(a)(1)(B).

Discount Tire Plan Litigation Illustrates Fiduciary Risks

The March 4, 2026 ruling in McGeathy v. Reinalt‑Thomas Corp., No. 2:25‑cv‑01439 (D. Ariz. Mar. 4, 2026), is the latest of a plethora of rulings highlighting the exposure of these and other parties with named or functional discretionary authority to make or select those responsible for making plan decisions risk from failing to recognize and appropriately manage their fiduciary status and responsibilities.

In McGeathy U.S. District Court for the District of Arizona refused to dismiss a fiduciary breach lawsuit alleging that the parent company of Discount Tire that sponsored the plan, various corporate officials and a trust company service provider were liable as plan fiduciaries for failing properly to monitor and replace underperforming target‑date funds in the company’s retirement plan.

The decision illustrates the willingness of courts to allow ERISA fiduciary claims to proceed against corporate plan sponsors and their officials or others who plaintiffs plausibly allege were fiduciaries and failed to follow a prudent process for reviewing investments or carrying out other discretionary decision-making. See ERISA §404(a)(1)(B), 29 U.S.C. §1104(a)(1)(B).

In McGeathy, a participant in the Discount Tire/America’s Tire Retirement Plan alleged that the defendants were plan fiduciaries and breached their duties under ERISA §404(a) by retaining a series of American Century target‑date funds that allegedly underperformed comparable funds for many years.

According to the complaint, the plan included approximately 16,000 participants and more than $1.2 billion in assets, with nearly 44% of plan assets invested in the challenged target‑date funds. The plaintiff alleges fiduciaries failed to prudently monitor and remove the investments despite long‑term underperformance relative to comparable funds.

The defendants argued that investment underperformance alone does not establish a fiduciary breach under ERISA. Some also disputed their fiduciary status relating to the challenged decisions.

The court rejected dismissal at the pleading stage, holding that the complaint plausibly alleged that the defendants were fiduciaries and as fiduciaries or co-fiduciaries may have failed to prudently monitor and replace the funds.

The court also allowed failure‑to‑monitor claims against company officials responsible for appointing and overseeing plan investment decision‑makers under the theory they acted as fiduciaries in selecting and retaining the trustee appointed to make those decisions for the plan. See ERISA §405(a), 29 U.S.C. §1105(a).

The courts ruling allows the case to proceed, requiring the plan sponsor, corporate officials, and trust company to continue to defend the case, pending a settlement or a determination on the facts. Regardless of how a case of merges, the litigation promises to be an expensive lesson, the outcome of which will depend on each defendant ability to demonstrate its prudence in the exercise of any discretion it possessed over the plan or it’s administration with regard to the disputed investments.

The Fiduciary Duty of Prudence

Under ERISA, the term “fiduciary” includes any person or entity that possesses named or functional discretionary authority over the administration or assets of a plan. ERISA §409. Since ERISA defines fiduciary status functionally, a party may not be a named fiduciary to bear fiduciary liability or responsibility. Consequently, many corporate officers and other parties often face fiduciary liability for their functional involvement and investment or other decisions regarding for the plan even though not official officially named as fiduciaries. A fiduciary generally is personally liable for breaches a fiduciary duties that it commits as well as liability as a co-fiduciary for fiduciary act or emissions of another fiduciary that the co-fiduciary through the exercise of prudence New, or should’ve known, was breaching its fiduciary duties and failed to appropriately act to protect the plan, including failure to monitor and manage a fiduciary that it appointed.

ERISA requires fiduciaries to act “with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use.” ERISA §404(a)(1)(B), 29 U.S.C. §1104(a)(1)(B).

Courts consistently emphasize that ERISA liability focuses on the fiduciary process used to select and monitor investments, not simply on whether investments perform well or poorly.

The U.S. Supreme Court reinforced this principle in Tibble v. Edison International, 575 U.S. 523 (2015), holding that ERISA fiduciaries have a continuing duty to monitor plan investments and remove imprudent ones within a reasonable time.

Other Recent Cases Reinforce Monitoring Duties

Recent ERISA litigation continues to demonstrate that plan fiduciaries they cannot produce the necessary evidence to show that they acted prudently risk significant personal liability.

In Collins v. Northeast Grocery, Inc., 87 F.4th 125 (2d Cir. 2025), the Second Circuit allowed fiduciary breach claims to proceed based on allegations that plan fiduciaries failed to prudently evaluate investment performance and fees relative to comparable alternatives.

Similarly, in Cunningham v. Cornell University, 604 U.S. ___ (2025), the U.S. Supreme Court revived claims challenging allegedly excessive administrative and recordkeeping fees and clarified pleading standards applicable to ERISA fiduciary breach claims.

These decisions reflect continuing judicial scrutiny of fiduciary monitoring processes, benchmarking practices, and oversight of investment decisions and the selection, monitoring and management of plan sponsors and their corporate officers and other officials involved in the selection and retention of the service providers and pension investments or provide other services.

This liability often arises or is enhanced by the failure of individuals or entities possessing or exercising discretion over the plan’s assets or administration to appreciate their own fiduciary status and a resulting failure to use the necessary processes to prudently carry out these discretionary duties in a manner that captures the necessary evidence to defend the prudence of their actions.

Compliance Lessons for Plan Fiduciaries

Plan sponsors, fiduciary committees and corporate officers and directors with responsibility or involvement in managing plan, investments, or selection and management of the service providers or company officials responsible for management of investments should consider several risk‑reduction steps.

Plan an investment for other committees, trust companies, investment, advisory organizations, or individuals involved in the discretionary decision-making about the investment and management of plan assets should conduct their activities to create and maintain the necessary, documented evidence of their prudence in their oversight and management of the plans, investments and other activities. As part of these actions, for instance, they should:

• Maintain a structured investment monitoring process with periodic performance reviews.

• Adopt and consistently follow a written Investment Policy Statement.

• Benchmark investment performance and fees against appropriate peer funds.

• Document fiduciary committee meetings and deliberations.

• Monitor market or other conditions that could create a need for reconsideration of investment policies to meet market specific or other emerging conditions and document their decision-making.

Corporate Officers Be Liable as “Functional Fiduciaries” Even When Not Named in the Plan

Another important lesson from this modern ERISA fiduciary litigation is that corporate officers and others involved in making or appointing individuals or service providers to make plan investment or other decisions can become liable as fiduciaries even if not formally named as fiduciaries in plan documents.

ERISA defines fiduciary status based on functions performed, not titles held.

Under ERISA §3(21)(A), 29 U.S.C. §1002(21)(A), a person becomes a fiduciary to the extent he or she exercises discretionary authority or control over plan management, exercises authority or control over plan assets, or provides investment advice for a fee.

Because of this functional fiduciary rule, courts frequently hold that corporate officers, executives, and investment committee members can be personally liable when they exercise discretionary authority over plan investments or the selection or retention of the parties to make those decisions.

In Fifth Third Bancorp v. Dudenhoeffer, for instance, plan participants sued corporate officers responsible for administering the company’s retirement plan.

Participants alleged that corporate insiders knew the company’s stock was artificially inflated but continued allowing the plan to invest heavily in it. The Supreme Court held that corporate officers serving as plan administrators are subject to the same ERISA fiduciary duties as any other fiduciary, rejecting a special “presumption of prudence” for employer-stock investments.

The decision reinforced that officers who exercise discretionary control over plan investments can face fiduciary liability even when acting in dual corporate roles.

Also, in Donovan v. Bierwirth, the court held corporate officers responsible for managing a company pension plan liable for breach of fiduciary duty when they made investment decisions involving employer stock during a takeover battle.

The Second Circuit held that fiduciaries must act solely in the interests of plan participants and must take steps such as seeking independent advice when corporate conflicts arise.

The case remains one of the leading precedents establishing that corporate insiders who control plan investments can be personally liable under ERISA.

Likewise, federal courts have also imposed fiduciary liability on corporate insiders involved in employee stock ownership plan (ESOP) transactions.

For example, litigation brought by the U.S. Department of Labor against parties involved in ESOP stock transactions resulted in liability where insiders participated in transactions that caused the plan to pay inflated prices for employer stock. Courts held that individuals involved in the transaction could be jointly and severally liable as fiduciaries or knowing participants in prohibited transactions.

These cases demonstrate that ERISA liability can extend beyond named fiduciaries to individuals who exercise real control over investment decisions.

This functional fiduciary doctrine significantly expands potential liability exposure.

Corporate executives may become ERISA fiduciaries when they select or retain service providers or named plan fiduciaries, approve or influence plan investment menus, participate in investment committees, select or retain target-date funds or other plan investments or appoint or monitor plan fiduciaries or investment advisors or engage in of influence other plan decisions affecting plan assets or administration.

Even if plan documents designate a committee or outside fiduciary, individuals involved in decision-making may still face liability under ERISA’s co-fiduciary provisions if they knowingly participate in or fail to correct fiduciary breaches.

Acdditional Practical Compliance Lessons for Corporate Leadership

Corporate officers involved in retirement or other benefit plan oversight should take steps to manage their potential liability exposure. Among other things, these steps should include:

Ensure plan documents and contracts provide a clear fiduciary governance structure that clearly identifies l who is responsible for plan investment and other decisions.
Establish and prudently appoint an investment committe responsible for prudent investment of the plan investments;
Require investment committee independence with prudent periodic monitoring and oversight;
Investment Committees should meet regularly and prudently decide and review investment performance pursuant to prudent written investment policy.
Ensure documented monitoring of plan investments.
Maintain benchmarking reports, advisor analyses, and prudent fiduciary deliberations documentation;
Periodically review of investment advisors Confirm that advisors are providing objective and appropriate recommendations;
Train executives and committee members Ensure individuals understand when their activities may create fiduciary status and their responsibilities.

All parties should understand that ERISA fiduciary liability is determined by what individuals actually do, not by whether they are formally labeled fiduciaries.

Courts consistently hold that corporate officers who exercise discretionary authority over retirement plan investments may be treated as ERISA fiduciaries and held personally liable for imprudent investment decisions or failures to monitor plan investments.

Businesses sponsoring employee benefit plans, and the officers and directors that serve on retirement committees, or in other capacities involved in the selection and retention of committees or service providers appointed to manage plan investments and other operations should recognize their selection authority generally will be considered fiduciary action for purposes of ERISA. Parties involved in these selection and oversight activities should conduct carefully documented processes to demonstrate their prudence in the selection and monitoring of the committee members or service providers that will be performing investment or other fiduciary functions for the plan. hiring processes should include carefully, documented, vetting processes that verify the credentials, performance, processes, fees and other compensation, and other relevant factors necessary to make these engagement of a particular entity or individual to carry out these investment functions prudent. Subsequently, procedure should be implemented and used to periodically monitor and review investment advisors and other service providers.

To meet express requirements of a risk of concerning the parties and trusted with fiduciary responsibilities, all involve parties should affirm that any individual or entity involved in the selection of plan, service providers, or investments, or otherwise performing fiduciary activities, or providing services to the plan are properly vetted for eligibility to serve under the ERISA rules, properly bonded, and otherwise have the credentials and performance history that justifies and trust of these responsibilities under the rules of prudence.

Documentation of fiduciary decision‑making is often critical in defending ERISA fiduciary breach claims. Courts frequently examine committee minutes, benchmarking reports, and advisor recommendations when evaluating whether fiduciaries followed a prudent process. processes of all involved parties should not only seek to exercise and verify prudent decision-making, but also captured the necessary evidence and documentation to defend their determination and actions in the event of a Department of Labor investigation or participant lawsuit.

Bottom Line

The Discount Tire and other similar decisions reaffirm a central principle of ERISA fiduciary law: liability often turns on the quality and documentation of the fiduciary process used to monitor plan investments or other decision-making regarding the plan, it’s service providers and investments, or other aspects of the establishment and administration of the plan.

Plan sponsors and fiduciaries should ensure they maintain a disciplined vendor credentialing, selection and contracting process; investment selection, performance and review process; and retain documentation demonstrating prudent oversight of plan investments and advisors.

Corporations should seek guidance and training from qualified employee benefits counsel as prudently required to understand and perform these responsibilities.

Also since lawsuits and other challenges can arise, despite the most diligent efforts to act prudently, all parties involved also gently should consider the advisability of securing fiduciary liability insurance coverage and appropriate contractional role designation and indemnification to help mitigate potential liability and cost arising from challenges that may arise out of the performance of investment or other related activities.

For More Information

We hope this update is helpful. For more information about these or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Ms. Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on health and other employee benefits, insurance, healthcare, workforce, HIPAA and other data and technology and other compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

About Solutions Law Press™

©2026 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. ™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on Discount Tire Ruling Warns Benefit Plan Sponsors, Leaders & Other Fiduciaries To Ensure Appropriate Plan Investment Monitoring | 401(k), Banking, board of directors, Brokers, compensation, compliance, conflict of interest, Corporate Compliance, corporate governance, defined benefit plan, defined contribution plan, directors, Disability, EBSA, Employee Benefits, Employer, Employers, Employment, Employment Policies, ERISA, Excise Taxes, Executive Compensation, fiduciary duty, Fiduciary Responsibility | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Privacy Notice Update Deadline: February 16, 2026

February 12, 2026

February 16, 2026, is the deadline for health care providers, group health plans and health insurers to update and redistribute their Health Insurance Portability and Accountability (“HIPAA”) Notice of Privacy Practices (“Privacy Notice”) to comply with recent federal rule changes strengthening protections certain Part 2 substance use disorder (“SUD”) records (the “SUD Rules”). Timely update of Privacy Notices and compliance with these related requirements is particularly critical for the following organizations, who regularly receive and handle SUD records:

Behavioral health providers;
Integrated delivery systems;
Health plans receiving SUD claims data; and
Third party administrators, utilization management, and other health plan service providers involved in the administration of behavioral health or substance abuse benefits.

HIPAA Privacy Notice Generally

The HIPAA regulations require most health care providers, group health plans and health care clearinghouses (“Covered Entities”) to provide a Privacy Notice that meets the content and distribution requirements of the HIPAA rules. See 45 C.F.R. § 164.520. Health plans generally must deliver the Privacy Notice to their members at enrollment. Health care providers generally must present the Privacy Notice to patients at least once a year, try to obtain acknowledgement of receipt, display it at their service locations and “prominently post” it on their websites.

Noncompliance with these and other HIPAA requirements can trigger a wide range of adverse consequences, including:

Complicate the administration and defense of HIPAA compliance;
Fuel HIPAA complaints from PHI subjects or others;
Trigger OCR enforcement and the potential civil monetary penalties and corrective action plans;
Expose noncompliant health plan fiduciaries to fiduciary investigation and liability under the Employee Retirement Income Security Act;
Expose health care providers to licensure, ethical or other professional investigations and sanctions;
Expose health care providers and insurers to licensing or other state regulatory enforcement actions;
Violate stop-loss, liability or other contracts;
Expose health plans, their fiduciaries and other covered entities to added expense to respond to and defend complaints and investigations; and
Create reputational risk.

Privacy Notice Updates Due February 16, 2026

The Privacy Notice updates currently due by February 16, 2026, arise from the 2024 Final Rule aligning 42 CFR Part 2 with HIPAA jointly published by the Substance Abuse and Mental Health Services Administration (“SAMHSA”) and OCR to align the substance abuse privacy rules in 42 CFR Part 2 more closely with HIPAA.

While most of the SUD rules operational provisions already are in effect, Covered Entities that maintain SUD records subject to Part to have until February 16, 2026, to update and timely distribute their Privacy Notices to:

Explain how Part 2 records may be used and disclosed.
Describe patients’ rights to obtain an accounting of disclosures, request restrictions, file complaints and describe potential penalties for misuse.

Along with updating their Privacy Notices content, health plans and other Covered Entities also need to update their Privacy Notice postings and distributions. Health plans generally are encouraged to follow best practices by treating the revisions as material revisions impacting their health plans and err in favor of broad distribution. Health plans generally should distribute the updated notice to plan participants within 60 days of a material revision or include notice of its availability in its next annual mailing and post an updated copy on the plan’s website. In contrast, health care providers must meet slightly broader distribution requirements, that generally require a health care provider:

Ensure the updated notice is provided to new patients at check-in and request a signed acknowledgement of receipt from the patient at least once a year;
Post the revised Privacy Notice in a clear and prominent locations in treatment areas as required by the Privacy Rule;
Make copies available upon request; and
Post electronically on websites

Beyond these specific actions in response to the 2024 Final Rule aligning 42 CFR Part 2, self-insured ERISA plans, their employer or other plan sponsors, fiduciaries, and service providers should take the following steps:

Update the plan’s HIPAA Notice;
Review and update as necessary plan documents and other policies to ensure language complies with the new rule;
Plan fiduciaries and sponsors should coordinate with third party administrators and other service providers, behavioral health and other medical management vendors, stop loss carriers, prescription benefit management organizations, and other service providers to verify their process and practices are updated to comply with the new requirements;
Conduct any necessary training and education for workforce members and business associates; and
Take steps to monitor compliance on an ongoing basis.

Covered Entities Also Should Reconfirm Adequacy of Existing Other Privacy Notice Content Adequacy

Along with implementing the changes necessary to ensure their Privacy Notices comply with the SUD Rules of 42 CFR Part 2 alignment, group health plans and other Covered Entities also should review and update their Privacy Notices to confirm other content continues to meet OCR’s Privacy Notice requirements.

Since OCR has not substantively revised the content requirements for Privacy Notices or its model Notice of Privacy Practices for many years, many group health plans and other covered entities take for granted that the existing content of their Privacy Notices remains compliant. While OCR’s rules have not changed, group health plans and other Covered Entities often have experienced changes in staffing, addresses or other operational details that may make updates to their Privacy Notices required or advisable. Failing to update Privacy Notices to reflect these changes can both violate HIPAA and fuel a wide range of potentially costly miscommunications and disagreements. Consequently, group health plan sponsors, fiduciaries and service providers, as well as other Covered Entities also are encouraged to review their existing Privacy Notices for any updates required in response to these and other changes.

HIPAA Privacy Rule to Support Reproductive Health Care Privacy No Longer Required

Covered Entities currently do not have to change their Privacy Notices to add disclosures about new requirements for the disclosure of protected health information (“PHI”) relating to reproductive rights that OCR sought to require under its HIPAA Privacy Rule to Support Reproductive Health Care Privacy (“Reproductive Rights Rule”), as the U.S. District Court for the Northern District of Texas vacated those requirements in Purl v. United States Department of Health and Human Services, No. 2:24-CV-228-Z, (N.D. Tex. June 18, 2025).

Had the District Court not struck down the Reproductive Rights Rule last June, Covered Entities also would have been required by February 16, 2026, to revise their Privacy Notices to discuss OCR HIPAA rules restricting disclosures of protected health information (“PHI”) related to lawful reproductive health care.

OCR adopted the Reproductive Rights Rule as part of a broader series of actions by the Biden Administration intended to mitigate the effect of the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, 597 U.S. 215 (2022). Dobbs restored state power to regulate abortion by reversing the Supreme Court’s decades-old decision in Roe v. Wade, which had recognized a woman’s right to abortion as part of a fundamental right to reproductive privacy.

In furtherance of these broader efforts to limit state efforts to regulate abortion and other reproductive rights, the Reproductive Rights Rule prohibited Covered Entities from using or disclosing PHI:

For criminal, civil, or administrative investigations into lawful reproductive health care
To identify a person for such investigations
For proceedings related to lawful reproductive health care

It also required Covered Entities and their business associates to:

Obtain a signed attestation before disclosing reproductive health information for certain law enforcement or oversight requests
Revise their Privacy Notice to describe these new protections

The federal district court’s ruling makes these updates unnecessary at this time.

If you have questions about these health plan exposures or other health care, workforce employee benefits or other regulatory compliance or investigations concerns, contact the author.

For More Information

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on health and other employee benefits, insurance, healthcare, workforce, HIPAA and other data and technology and other compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer has more than 35 years of experience advising and representing, employers, employee benefit plans and their fiduciaries and administrators, their administrative services, technology and other business associates and other vendors, managed care and insurance, health care and other clients about these and other workforce, employee benefits, internal controls and other operations and compliance concerns.

Ms. Stamer is nationally sought out for her decades of leading-edge experience in the design, sponsorship, administration, and defense of health and other employee benefit, workforce, insurance, healthcare, data and technology, and other operations to promote legal and operational compliance, reduce regulatory and other liability, and advance other operational goals. This experience includes decades of work on HIPAA and other medical and other data and technology privacy, security and other management, including years of service as the Scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with the Department of Health and Human Services Office of Civil Rights, extensive advice to health plans and insurers, their sponsors, fiduciaries and service providers; managed care organizations, health care organizations, health care clearinghouses and other health data and technology providers; and others about HIPAA and other Federal, state and international privacy and data security; and extensive speaking and publications on these and related concerns.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is valued and celebrated for her decades of policy advocacy and charitable, pro bono, community and other service and leadership to promote understanding and strengthening health care, workforce, saving, disability, aging and retirement and other key policies and challenges through her PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

About Solutions Law Press™

©2026 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. ™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on HIPAA Privacy Notice Update Deadline: February 16, 2026 | Association Health Plan, Corporate Compliance, ERISA, fiduciary duty, Fiduciary Responsibility, group health plan, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, HIPAA, HIPAA, Mental Health, Mental Health Parity, Protected Health Information, self insured health plan | Tagged: Artificial Intelligence, Employee Benefits, Employer, Employers, Employment, ERISA, Fiduciary Responsibility, Health, Health Insurance, Health Insurer, Health Plan, Health Plans, Healthcare Privacy, HIPAA, Human Resources, Insurance, Mental Health, Mental Health Benefits, news, politics, Privacy Practices, substance abuse, Substance Abuse Benefits, Technology, TPAs | Permalink
Posted by Cynthia Marcotte Stamer

PBMs Pressured To Reform By FTC Express Scripts Settlement, Proposed Labor Department Rule Requiring PBM Compensation Transparency

February 4, 2026

Prescription benefit manager (“PBM”) Express Scripts, Inc. and its affiliated entities (collectively “ESI”) must adopt “fundamental” business practice changes intended to enhance transparency in its PBM practices under a “landmark settlement” that resolves its exposure to FTC charges that the nation’s three largest PBMs – ESI, Caremark Rx, and OptumRx and their affiliated group purchasing organizations (“GPOs”) – illegally used anticompetitive and unfair rebating practices to artificially inflate prices of and restrict patient access to insulin drugs made in a FTC lawsuit.

In Caremark Rx, Zinc Health Services, et al., In the Matter of (Insulin), the FTC sued the nation’s three largest PBMs, ESI, Caremark Rx, and OptumRx and their affiliated GPOs, for illegally driving up insulin prices and disrupting patient access to insulin by engaging in anticompetitive and unfair rebating practices.

Specifically, the FTC alleges these PBMs use of restrictive formularies that completely excluded certain drugs from coverage coerced pharmaceutical manufacturers to provide PBMs higher rebates to avoid exclusion of their products outright from the PBM formularies required for insurance coverage for tens of millions of patients. Leveraging this threat of exclusion, the FTC charges PBMs began demanding higher and higher rebates from drug manufacturers in exchange for placing those drugs on their restrictive formularies. While the race for higher rebates, in principle, should have reduced drug costs for patients, the FTC says the PBMs’ “insatiable demand for larger rebates” and manufacturers’ desire to preserve their own profits drove manufacturers steadily to increase the list price of their drugs. The FTC claims the resulting dynamic artificially inflated list prices disconnected from the actual cost of the drugs to insurers.

Since patients’ out-of-pocket expenses are directly or indirectly tied to these inflated prices, uninsured patients often pay the full list price, while insured patients with high deductibles or co-insurance also face higher costs based on these inflated list prices. As a result, as rebates and list prices rise in tandem, these groups of patients are burdened with higher out-of-pocket costs for their medications.

The FTC claims this broken system has far-reaching consequences. it causes opaque an drug pricing and reimbursement system, which benefits the PBMs and manufacturers, but deliberately obscures the full scope of harm and financial cost from insurers and patients unknowingly shouldering the burden of inflated list prices.

While the dynamic impacts many prescription drugs, the FTC says insulin is the poster child of this distorted system.

The FTC settlement resolves ESI’s liability exposure from the FTC lawsuit regarding insulin pricing and competition in return for it, making significant changes in its PBM pricing and other practices. Among other things, ESI agrees no longer to prefer drugs with high list prices on its standard formularies when cheaper equivalents exists. ESI also will delink its compensation from the savings it negotiates with drugmakers. ESI also commits to increase transparency, including reporting more data on drug spending and disclosing any kickbacks to brokers that help employers choose PBMs. ESI also agreed to reshore its group purchasing organization Ascent from Switzerland back to the United States.

GPOs, which aggregate PBMs’ members to improve their negotiating leverage with drugmakers, have been accused of facilitating shell games that allow PBMs to retain more drug rebates as profit. However oversight is tricky given no major GPOs are headquartered in the U.S.

The FTC predicts ESI deal will drive down patients’ out-of-pocket costs for drugs like insulin by up to $7 billion over a decade and bring millions of dollars in new revenue to community pharmacies by requiring Express Scripts to move its pharmacy reimbursement to a cost-plus model. If there’s noting that ESI reportedly .already was transitioning to a cost plus model.

The FTC lawsuit continues against Caremark Rx, and UnitedHealth owned OptumRx and their affiliated GPOs.

The settlement announcement follows the U.S. Department of Labor e Department of Labor last week issued a proposed rule to improve transparency of fees collected by pharmacy benefit managers. If adopted as proposed, the rule will require PBMs to disclose rebates and other payments from drug manufacturers, compensation received when the price paid by a health plan for a prescription drug exceeds the amount reimbursed to the pharmacy, and payments recouped from pharmacies in connection with prescription drugs dispensed to a health plan. The proposal would also allow plan fiduciaries to audit the accuracy of PBM disclosures and provide additional relief if their PBM fails to meet its obligations under the rule.

The FTC and Labor Department actions are part of a series of federal activities undertaken in response to directives of President Donald Trump to provide greater healthcare transparency and bring down the cost of prescription medications and other healthcare costs. See, e.g. The Great Healthcare Plan; Making America Healthy Again by Empowering Patients with Clear, Accurate, and Actionable Healthcare Pricing Information; Delivering Most Favored-Nation Prescription Drug Pricing To American Patients (May 12, 2025).

PBMs, healthcare providers, health plans and their sponsors and their fiduciaries and service providers, pharmaceutical manufacturers and distributors, and consumers should carefully follow these and other developments do you understand there’re evolving responsibilities and opportunities under these changing rules and enforcement positions. receive updates on these another developments, follow this resource or email your contact information to the author.

If you have questions about this or other health care concerns, contact the author.

For More Information

About the Author

Peer recognized as “Top Rated Lawyer” and “LEGAL LEADER™ “Top Rated Lawyer” and “Best Lawyer” for her work in Health Care Law, Labor and Employment Law; ERISA & Employee Benefits,” and “Business and Commercial Law,” Cynthia Marcotte Stamer is an A Martindale-Hubble “AV-Preeminent” (Top 1%) attorneys board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..

Author of numerous highly regarded works on health law and policy, Immediate Past Chair of the ABA International Section Life Sciences Committee and the current Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

She also has extensive experience helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Section 504, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Author of publications on “Transparent PBM Contracting,” “ACOs, Direct Contracting: Legal & Practical Challenges For Employers, Providers & TPAs,” “The Medicare Advantage Contracting Manual,” “Third Party Administrator (TPA) Contracting Principles and Strategies and a multitude of other highly regarded publications and presentations, Stamer is widely recognized for her thought leadership on PBM and other managed care and health plan contracting and design, and a multitude of other health care, health plan and other health industry matters. In addition, Ms. Stamer contributes her time and leadership to numerous policy, professional, civil and other organizations including service as the, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on PBMs Pressured To Reform By FTC Express Scripts Settlement, Proposed Labor Department Rule Requiring PBM Compensation Transparency | Association Health Plan, Claims, Claims Administration, compensation transparency, Corporate Compliance, drug pricing, EBSA, Employee Benefits, Employer, Employers, ERISA, Fiduciary Responsibility, Health Benefits, health Care, Health Care Fraud, Managed Care, Patient Empowerment, pbm, pbms, pharmacy, PPO, prescription drugs, Reporting & Disclosure | Permalink
Posted by Cynthia Marcotte Stamer

2/21 Deadline To Comment On Proposed Changes To Health Plan Transparency Rules

January 9, 2026

Plans, Payers Would Face Significant systems & Data Changes To Comply

February 21, 2026, is the deadline for health plan fiduciaries, sponsors, insurers, service providers and other concerned parties to comment on the Proposed Transparency in Coverage Rule jointly proposed by the Centers for Medicare & Medicaid Services (“CMS”), the Department of Labor (“DOL”), and the Department of the Treasury (collectively, the “Departments”) on December 19, 2025.

The Proposed Rule proposed to take effect in 2027 seeks to significantly revise the existing Transparency in Coverage rules currently applicable to health plans by reducing file complexity and size, making data clearer, and producing more usable information that consumers, employers, and innovators can rely on. If adopted as proposed, health plan and health insurers, their sponsors, fiduciaries and service providers will be required to implement the data, systems and consumer updates necessary to comply with the self-service internet-based tool provisions for plan years (in the individual market, policy years) beginning on or after January 1, 2027.

The 2020 Transparency in Coverage rules originally issued during the first Trump Presidency requires health plans and health care providers to share detailed pricing information.

Under current rules, non-grandfathered group health plans and health insurance issuers offering non-grandfathered group and individual health insurance coverage are required to post machine-readable files monthly for each plan or coverage they offer—an In-network Rate File disclosing in-network rates for all covered items and services, an Allowed Amount File disclosing out-of-network allowed amounts and the associated billed charges, and a prescription drug file disclosing in-network rates and historic net prices for covered items and services. These requirements became applicable in July 2022.^[1]

Since these rules took effect, health plans. And insurers have faced criticism for lax compliance with the 2020 Teansparency in Coverage Rules. Additionally, the rules themselves have been criticized for provisions that allow oversized files, duplicative data, unstandardized data information, and other issues to limit the use, accessibility and reliability of the data released under the original rule.

In line with Executive Order 14221, the newly proposed rule seeks to confront these barriers by simplifying how data is organized, eliminating unnecessary information, and making consumer-facing cost tools more accessible to more consumers by:

Requiring plans and issuers to exclude from the In-network Rate Files certain data for services providers would be unlikely to perform.
Reorganizing In-network Rate Files by provider network rather than by plan, cutting redundancy, and aligning with how most hospitals report data pursuant to the Hospital Price Transparency requirements.
Requiring Change-log and Utilization Files so users can easily identify what has changed from one In-network Rate File to the next and have clear information on which in-network providers are actively furnishing which items and services.
Reducing reporting cadence for In-network Rate and Allowed Amount Files from monthly to quarterly, significantly reducing burden while maintaining meaningful transparency.
Increasing the amount of out-of-network pricing information reported by reorganizing Allowed Amount files by health insurance market type, reducing the claims threshold to 11 or more claims, and increasing the reporting period from 90 days to 6 months and the lookback period of data from 180 days to 9 months.

Additionally, to ensure that every individual can access accurate, personalized health care pricing information in the way that works best for them, the proposed rule would tighten requirements for health plan or issuer-provided price comparison tools by aligning them with consumer protections established under the No Surprises Act.

The proposed rule also will require group health plans and health insurance issuers to provide the same detailed cost-sharing information whether viewed online, or in print or provided by telephone, upon request.

The Departments aim for these changes to better equip employers, innovators, and researchers with the information they need to strengthen negotiations, identify cost drivers, and build new tools that help consumers shop for care with confidence by making pricing information more accurate, more accessible, and more actionable by improving clarity, accuracy, and providing better contextual information.

The proposed rules do not include major changes to prescription drug disclosure requirements, which the Departments say they intend to address separately.^[1]

The Departments seek feedback from stakeholders during the 60-day comment period on all elements of the proposed rule, including opportunities for further standardization and burden reduction. The deadline to submit comments is February 21, 2026.

Health plan sponsors, fiduciaries, administrators, and other concern, people should timely review and submit comments. Employers and producers also should begin evaluating and preparing to adapt their existing plan documents, contracts, policies, and procedures to them impending rules. Because noncompliance with these rules also can have significant liability exposures, this is an excellent time for health plan sponsors, and fiduciaries to review and confirm the adequacy of their existing practices and documentation.

If you have questions about these health plan exposures or other health care, workforce employee benefits or other regulatory compliance or investigations concerns, contact the author.

More Information

About the Author

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer has more than 35 years experience advisingemployers about these and other workforce, employee benefits, internal controls and other operations and compliance concerns.

Ms. Stamer is nationally recognized for her decades of leading-edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, insurance, healthcare, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

©2026 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. ™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on 2/21 Deadline To Comment On Proposed Changes To Health Plan Transparency Rules | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Use Caution When Terminating Workers Reporting Legal Violations

January 9, 2026

The $100,000 damages and reinstatement award Occupational Safety and Health Administration (“OSHA”) imposed on Fort Worth-based trucking company Balkan Express LLC cautions other employees to seek legal advice before terminating or taking other adverse action against employees who have reported or participated in investigations of safety or other laws. LOSHA ordered Balkan Express LLC to reinstate and compensate a worker who was terminated after reporting safety concerns, in violation of the Surface Transportation Assistance Act, which protects commercial motor vehicle safety complaints. OSHA ordered Balkan Express to reinstate the employee and pay back wages, interest, compensatory, and punitive damages totaling more than $100,000.

OSHA’s Whistleblower Protection Programs enforce 25 whistleblower statutes that protect employees from retaliation for reporting potential violations involving safety, health, environmental protection, and other public interest concerns. These statutes include:

The Occupational Safety and Health Act (OSH Act), Section 11(c);
The Consumer Product Safety Improvement Act (CPSIA)
The FDA Food Safety Modernization Act (FSMA);
The Moving Ahead for Progress in the 21st Century Act (MAP-21);
The Asbestos Hazard Emergency Response Act (AHERA);
The Clean Air Act (CAA);
The Comprehensive Environmental Response, Compensation and Liability Act (CERCLA):
The Energy Reorganization Act (ERA)
Federal Water Pollution Control Act (FWPCA);
The Safe Drinking Water Act (SDWA)
Solid Waste Disposal Act (SWDA);
The Toxic Substances Control Act (TSCA);
The Anti-Money Laundering Act (AMLA);
The Consumer Financial Protection Act (CFPA);
The Criminal Antitrust Anti-Retaliation Act (CAARA);
The Sarbanes-Oxley Act (SOX);
The Taxpayer First Act (TFA);
The Affordable Care Act (ACA);
The Federal Railroad Safety Act (FRSA);
The International Safe Container Act (ISCA)
National Transit Systems Security Act (NTSSA):
The Pipeline Safety Improvement Act (PSIA);
The Seaman’s Protection Act (SPA)
Surface Transportation Assistance Act (STAA); and
The Wendell H. Ford Aviation Investment and Reform Act for the 21st Century (AIR21).

In addition to the anti-retaliation provisions enforced by OSHA, employers also face significant retaliation exposures under Equal Employment Opportunity, employee benefits, collective bargaining, and a broad range of other laws. These retaliation statutes and others arising under other statutes enforced by other agencies, through private litigation,or both can protect workers that make good faith reports of violations or cooperate in investigations even if the reported action doesn’t actually violate the law. An organization’s history of responding to reports of suspected violations also can affect the penalties the organization faces for statutory violations of these laws in court or agency prosecutions.

Retaliation exposures are significant and growing. For instance, Equal Employment Opportunity Commission (“EEOC”) statistics show the 42,301 charges alleging retaliation filed in Fiscal Year 2024 made retaliation the most prevalent filing for the seventeenth consecutive year in Fiscal Year 2024 and continued rising in 2025.

If you have questions about anti retaliation law exposures or other workforce concerns, contact the author.

More Information

About the Author

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer has more than 35 years experience advising employers about these and other workforce, employee benefits, internal controls and other operations and compliance concerns.

Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, insurance, healthcare, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on Use Caution When Terminating Workers Reporting Legal Violations | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Stay Abreast Of And Monitor Current Immigration and Customs Forms, Fees and Pilicy Changes

January 9, 2026

Employers and workers relying on Visas or other U.S Customs and Immigration Enforcement (“USCIS”) documentation or credentials should confirm their forms, fees and other practices and protocols are up-to-date and closely monitor changes, particularly in light of evolving policies and tightening enforcement.

For instance, on January 5, 2026, USCIS reminded affected applicants that starting March 5, 2026, it will accept only the 08/21/25 edition of its Form I-765, Application for Employment Authorization. Until then, applicants may choose to use either the 01/20/25 edition or the updated 08/21/2025 edition.

The change to the Form I-765 is on of a host of changes USCIS has adopted.impacting foreign workers,travel and other requirements.

Other recently announced fee changes includ

USCIS also recently issued ew guidance that limits the age of foreign nationals’ photos that can be used to create immigration documents to no more than three years. This update enhances national security and prevents identity fraud. Currently effectivethe new guidance in the USCIS Policy Manual limits the use of photos to those that were taken within three years of the date a person files a USCIS form. Additionally, self-submitted photos will no longer be accepted. Only photos taken by USCIS or other authorized entities will be used. This ensures every photo used in a secure document is recent, accurate, and reliable—key requirements to preventing fraud and identity theft. This policy change aligns with Department of Homeland Security priorities to modernize screening and vetting processes and address the vulnerabilities in identity documents.

Certain forms will require a new photo, regardless of when an applicant’s or petitioner’s last photograph was taken. These include Form I-90, Application to Replace Permanent Resident Card; Form I-485, Application to Register Permanent Residence or Adjust Status; Form N-400, Application for Naturalization; and Form N-600, Application for Certificate of Citizenship.

Other recently announced changes include but aren’t limited to changes to travel and parole documents and a host of other form, policy and procedures changes.

These are just a few of recent developments and more are anticipated. Sign up for updates and check for updates at https://www.uscis.gov.

If you have questions about immigration and customs law or other workforce requirements and concerns, contact the author.

More Information

About the Author

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer has more than 35 years experience advising employers and others about these and other workforce, immigration, employee benefits, internal controls and other operations and compliance concerns.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

About Solutions Law Press™

©2026 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. ™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on Stay Abreast Of And Monitor Current Immigration and Customs Forms, Fees and Pilicy Changes | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Get Advice Before Terminating Employees Who Report Violations

January 9, 2026

The $100,000 damages and reinstatement award Occupational Safety and Health Administration (“OSHA”) on Fort Worth-based trucking company Balkan Express LLC cautions other employees to seek legal advice before terminating or taking other adverse action against employees who have reported or taken part in investigations of safety or other laws. LOSHA ordered Balkan Express LLC to reinstate and compensate a worker who was terminated after reporting safety concerns, in violation of the Surface Transportation Assistance Act, which protects commercial motor vehicle safety complaints. OSHA ordered Balkan Express to reinstate the employee and pay back wages, interest, compensatory, and punitive damages totaling more than $100,000.

The Occupational Safety and Health Act (OSH Act), Section 11(c);
The Consumer Product Safety Improvement Act (CPSIA)
The FDA Food Safety Modernization Act (FSMA);
The Moving Ahead for Progress in the 21st Century Act (MAP-21);
The Asbestos Hazard Emergency Response Act (AHERA);
The Clean Air Act (CAA);
The Comprehensive Environmental Response, Compensation and Liability Act (CERCLA):
The Energy Reorganization Act (ERA)
Federal Water Pollution Control Act (FWPCA);
The Safe Drinking Water Act (SDWA)
Solid Waste Disposal Act (SWDA);
The Toxic Substances Control Act (TSCA);
The Anti-Money Laundering Act (AMLA);
The Consumer Financial Protection Act (CFPA);
The Criminal Antitrust Anti-Retaliation Act (CAARA);
The Sarbanes-Oxley Act (SOX);
The Taxpayer First Act (TFA);
The Affordable Care Act (ACA);
The Federal Railroad Safety Act (FRSA);
The International Safe Container Act (ISCA)
National Transit Systems Security Act (NTSSA):
The Pipeline Safety Improvement Act (PSIA);
The Seaman’s Protection Act (SPA)
Surface Transportation Assistance Act (STAA); and
The Wendell H. Ford Aviation Investment and Reform Act for the 21st Century (AIR21).

In addition to the anti-retaliation provisions enforced by OSHA, employers also face significant retaliation exposures under Equal Employment Opportunity, employee benefits, collective bargaining, and a broad range of other laws. These retaliation statutes and others arising under other statutes enforced by other agencies, through private litigation, or both can protect workers that make good faith reports of violations or cooperate in investigations even if the reported action doesn’t actually violate the law. An organization’s history of responding to reports of suspected violations also can affect the penalties the organization faces for statutory violations of these laws in court or agency prosecutions.

If you have questions about anti retaliation law exposures or other workforce concerns, contact the author.

More Information

About the Author

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer has more than 35 years experience advising employers about these and other workforce, employee benefits, internal controls and other operations and compliance concerns.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

About Solutions Law Press™

©2026 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. ™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on Get Advice Before Terminating Employees Who Report Violations | ADA, Affirmative Action, citizenship, Civil Rights, compensation, compliance, Corporate Compliance, Department of Defense, Discrimination, Drug & Alcohol, Drug Testing, EBSA, EEOC, EEOC, Employee Benefits, Employee Handbook, Employer, Employers, Employment, Employment Discrimination, Employment Policies, Employment Termination, ERISA, fasle claims act, fiduciary duty, Fiduciary Responsibility, FLSA, Government Contractors, Labor Management Relations, OFCCP, Race Discrimination, Rehabilitation Act, Religous Discrimination, Retaliation, Safety, Sex Discrimination, sexual harassnrnt, USERRA, VEVRRA, Wage & Hour, Whistleblower | Permalink
Posted by Cynthia Marcotte Stamer

IDR Fees Changing 1/1/26

December 29, 2025

Health plans, their fiduciaries, service providers, and sponsors and healthcare provide providers, providing service covered by No Surprises Act (“NSA”) should confirm they’ve updated their fees for the independent dispute resolution process in response to changes taking affect January one, 2026.

On Monday, December 29^th, the Department of Health and Human Services (HHS), the Department of Labor (DOL), and the Department of the Treasury (collectively, the Departments) updated the No Surprises Act (NSA) website to reflect the 2026 certified Independent Dispute Resolution (IDR) entity fees in accordance with the Federal Independent Dispute Resolution (IDR) Process Administrative Fee and Certified IDR Entity Fee Ranges Final Rule (IDR Fees Final Rule).

The updated IDR entity fees now published on the NSA website are effective for disputes initiated on or after January 1, 2026. For these disputes, the administrative fee amount is $115 per party per dispute, and the certified IDR entity fee ranges are $200-$840 for single determinations and $268-$1,173 for batched determinations. The website now includes information on the fee set by each certified IDR entity within these ranges.

The IDR Fees Final Rule, effective as of January 22, 2024, set forth the 2025 IDR entity fee ranges, which will remain unchanged for 2026.

If you have questions about this or other health care concerns, contact the author.

More Information

About the Author

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, insurance, healthcare , data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on IDR Fees Changing 1/1/26 | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

SCRA Portability Rule Requires State Recognition Of Relocating Service Members & Spouses Licenses & Certifications

December 27, 2025

Employers of workers in positions requiring state licensure or certification should review new Department of Justice guidance about recent updates to the Servicemembers Civil Relief Act (SCRA) that make it easier for service members and spouses to meet state licensing requirements when relocated due to military orders. The rules make it easier for these military connected professionals to meet state licensing or certification requirements and organizations to hire relocating service members and their spouses to fill positions nurses, doctors, pharmacists, legal, insurance, education and other positions requiring licensure or certification under state law.

The Justice Department recently sent States a letter reminding them to evaluate their licensing practices for compliance with the December 23, 2024, SCRA amendments.

The amended SCRA rules now require all states to recognize as valid a medical or other professional license or certification of a service member or spouse of a service member when the servicemember or service member’s spouse:

Has a covered license;
Moves to another State due to military orders; and
Submits an application to the licensing authority of the new State.

The term ‘covered license’ means a professional license that, with respect to a scope of practice:

Is in good standing with the licensing authority that issued such license;
Has not been revoked or had discipline imposed by any State;
Does not have an investigation relating to unprofessional conduct pending in any State relating to it; and
Has not been voluntarily surrendered while under investigation for unprofessional conduct in any State.”

The application requirement is met by a submission by a servicemember or spouse to the new licensing authority that includes the following:

Proof of military orders;
If the applicant is the spouse of a servicemember, a copy of the marriage certificate;
A notarized affidavit affirming, under the penalty of law, that (A) the applicant is the person described and identified in the application; (B) all statements made in the application are true and correct and complete; (C) the applicant has read and understands the requirements to receive a license, and the scope of practice, of the State of the licensing authority; (D) the applicant certifies that the applicant meets and shall comply with requirements described in subparagraph (C); and (E) the applicant is in good standing in all States in which the applicant holds or has helda license.”

Under the updated law, a letter or any written communication from the servicemember’s commanding officer indicating a change in the servicemember’s duty status satisfies the requirement for proof of military orders (including orders for separation or retirement).

The new portability rules expedite the ability of health care and other organizations wishing to hire relocating service members or their spouses to clear health care or other licensing requirements.

If you have questions about this or other health care concerns, contact the author.

More Information

About the Author

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on SCRA Portability Rule Requires State Recognition Of Relocating Service Members & Spouses Licenses & Certifications | Corporate Compliance, Employment, health insurance, Hiring, HR, Human Resources, Insurance, insurers, Job, Licensing, Licensing Agreement, Management, Managment, Military, Military Leave, SCRA | Permalink
Posted by Cynthia Marcotte Stamer

Confirm 2025 Required Defined Contribution & 403(b) Plan Amendments Timely Adopted

December 18, 2025

Defined contribution savings plans and 403(b) annuity plan sponsors, fiduciaries and vendors should use the “2025 Required Amendments List for Qualified and Section 403(b) Plans” to verify their programs are timely updated with all required amendments to avoid tax disqualification exposures.

Notice 2025-60 contains the Internal Revenue Service (“IRS”) 2025 Required Amendments List (“2025 RA List”) for individually designed plans qualified under section 401(a) of the Internal Revenue Code and individually designed plans that satisfy the requirements of section 403(b). The 2025 RA List also applies to pre-approved plans with respect to interim amendments.

Notice 2025-60 will be in IRB: 2025-52, dated: December 22, 2025.

If you have questions or need additional ion information or assistance, contact the author of this update, Cynthia Marcotte Stamer,

About the Author

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Confirm 2025 Required Defined Contribution & 403(b) Plan Amendments Timely Adopted | 401(k), Corporate Compliance, defined contribution plan, Defined Contribution Plans, Employee Benefits, Employers, enforcement, ERISA, Internal Revenue Code, Retirement Plans, Retirements | Permalink
Posted by Cynthia Marcotte Stamer

Diabetes Costs Remain Key Health Cost Driver

December 10, 2025

Diabetes treatment costs remain a leading health plan and health care cost driver.

Approximately one in four U.S. health care dollars (about 25%) is spent on people with diagnosed diabetes. Of this amount, about 61% of the costs are directly attributable to diabetes itself, with the remainder being general medical costs.

For 2021–2022, treating diabetes among U.S. adults cost an estimated $153.2 billion each year. The average cost per person receiving care was $5,810 per year, with prescription medicines accounting for more than 80 percent of the total.

A recent statistical brief based on data from AHRQ’s Medical Expenditure Panel Survey (MEPS) highlights these costs and how the prevalence of treated diabetes varies by age, income, insurance coverage, and type of care. The report also breaks down spending by service and payment source, offering a closer look at the financial impact of diabetes treatment.

Comments Off on Diabetes Costs Remain Key Health Cost Driver | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Verify ERISA Bonding Compliance

November 25, 2025

Health, retirement and other employee benefit plan fiduciaries, sponsors and service providers should confirm and document that all plan fiduciaries, service providers and other plan workforce members are properly bonded to protect the plan against fraud and dishonesty, as well as avoid incurring liability for breaching the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (“ERISA”).

ERISA Requires Fidelity Bonding

ERISA imposes fidelity bonding requirements under ERISA §412 and 29 C.F.R. Part 2580 to protect plan assets against loss due to fraud or dishonesty. ERISA §412(a) requires that every fiduciary of an employee benefit plan and every person who ‘handles funds or other property’ of the plan must be bonded against loss resulting from fraud or dishonesty. The Department of Labor (“DOL”) regulations at 29 C.F.R. §2580.412‑6 define handling of funds to include physical contact, power to transfer, ability to sign checks, or supervisory authority over those who handle plan assets.

As ERISA’s bonding requirements are part of ERISA’s fiduciary responsibilities, failure to maintain bonding required by ERISA §412 constitutes a fiduciary breach under ERISA §404(a)(1)(A)-(B), which exposes fiduciaries breaching these obligations to DOL civil penalties, personal liability for losses arising from non‑compliance, and other liabilities.

Who Must Be Bonded

ERISA’s fidelity bonding requirement applies to two categories of persons:

Plan fiduciaries, and

Non‑fiduciaries who ‘handle’ plan funds within the meaning of 29 C.F.R. §2580.412‑6.

For purposes of determining the individuals and entities subject to ERISA’s bonding requirement, keep in mind that ERISA functionally defines a “fiduciary” as including any person that:

Exercises any discretionary authority or discretionary control respecting management of the plan or the management or disposition of its assets,
Renders investment advice for a fee or other compensation, direct or indirect, with respect to any moneys or other property of such plan, or has any authority or responsibility to do so, or
Has any discretionary authority or discretionary responsibility in the administration of such plan. See ERISA Section 3(21).

Consequently, if an individual or entity functionally possesses or exercises authority or responsibility over the plan or its assets, it is a fiduciary subject to the bonding and other fiduciary requirements of ERISA regardless of whether that party is a named fiduciary or disclaims fiduciary status in an agreement.

Likewise, the ERISA bonding requirement for parties that handle funds also is based on the functional realities. Under DOL Regulations, a person is deemed to handle plan assets if their role creates a risk of loss due to fraud or dishonesty. Examples include:

Physical possession of cash, checks, or assets.
Power to transfer assets or negotiate instruments.
Authority to sign checks or initiate electronic fund transfers.
Supervisory authority over individuals who handle assets.

Non‑fiduciary service providers and other members of the plan workforce who do not handle plan funds are not subject to ERISA §412. For instance, DOL Field Assistance Bulletin 2008‑04 states that third‑party administrators that do not control or possess plan assets and cannot authorize disbursements are not required to be bonded. Similarly, other nonfiduciary contractors providing legal, actuarial, consulting, claims‑processing, or IT services fall outside the bonding requirement unless they have direct authority over plan assets. See also 29 C.F.R. §2509.75‑8 without discretionary authority over plan assets generally does not ‘handle’ funds and therefore are not subject to ERISA §412 bonding unless they otherwise are named or function as fiduciaries.

When applying these distinctions for purposes of ERISA’s bonding rules, plan fiduciaries and service providers should look beyond contractual characterizations of the character and nature of the service provider and based their decision regarding whether to require and acquire a bond based on the functional realities. While non‑fiduciary service providers are only required to be bonded if they handle plan funds as defined by ERISA §412 and the DOL regulations, functionally evaluated, certain non‑fiduciary service providers sometimes become subject to bonding if their activities constitute functional “handling” of plan funds. For example:

A payroll vendor that transmits employee contributions is handling assets.
A recordkeeper with authority to initiate distributions must be bonded.

Conversely, a TPA adjudicating claims but without power to pay benefits is not required to be bonded. service providers and others granted functional authority that exposes plan assets to risk of loss are required to be bonded as individuals that handle funds.

When evaluating whether a service provider or other party “handles funds” for purposes of assessing the applicability of the ERISA bonding requirement in investigations or audits, the DOL usually asks if the party or its employees have:

Physical possession of Plan assets?
The power to obtain physical possession of plan assets?
The power to transfer assets?
The authority to disburse Plan funds directly or indirectly?
The authority to endorse checks?
The authority to make investments?

The DOL Enforcement Manual indicates that “handling” of Plan funds is indicated and bonding is required for each individual or party that (a) has any of these authorities or (b) if the assets are held by a corporate trustee, for any service provider or other party that can direct the payment of benefits or direct the investments to be made by the corporate trustee.

Bond Amount and Coverage Requirements

Where ERISA requires a fidelity bond, ERISA §412(a) and 29 C.F.R. §2580.412‑11 require that the fidelity bond must be at least 10% of the amount of plan funds handled by the individual in the preceding plan year, with a minimum of $1,000 and a default maximum of $500,000 per plan (or $1,000,000 for plans holding employer securities under §412(g)).

An ERISA fidelity bond is a specific type of insurance that protects the plan against losses caused by acts of fraud or dishonesty. The fidelity bond required under ERISA specifically insures a plan against losses due to fraud or dishonesty (e.g., theft) by persons who handle plan funds or property. Fraud or dishonesty includes, but is not limited to, larceny, theft, embezzlement, forgery, misappropriation, wrongful abstraction, wrongful conversion, willful misapplication, and other acts. Deductibles or other similar features are prohibited for coverage of losses within the maximum amount for which the person causing the loss is required to be bonded. While obtaining fiduciary liability insurance also generally is recommended, the bonding requirement is not satisfied by the purchase of fiduciary liability.

The fidelity bond purchased must fulfill the specific requirements of ERISA. For instance, the bond should be issued by a bonding company listed in Treasury Circular 570 and must cover the Plan for loss due to fraud or dishonesty as defined in 29 C.F.R. §2580.412‑9. Fiduciaries should confirm the bond provides for payment to the Plan in the event of loss, name the Plan as an “insured” and have the pay over rider attached unless the Plan is the sole insured under the bond. The definition of employee in the bond must cover all persons who “handle” funds including officers, directors, trustees, employees and the other parties required to be covered by the bond. If the bond contains a deductible, an elimination of deductible rider with the respect to the plan also is needed. Since bonds purchased by third party administrators, financial advisors or other plan service providers to meet state law or professional standards generally do not fulfill these and other ERISA requirements, plans generally should require specific contractual assurances to comply with the ERISA bonding requirements and should obtain and confirm the adequacy of the bonds for service providers and others subject to ERISA bonding requirements.

Liability For ERISA Bonding Violations

Failure to secure a fidelity bond under ERISA can lead to significant legal and financial consequences. Plan sponsors and fiduciaries are required by ERISA to obtain a fidelity bond to protect employee benefit plans from losses due to fraud or dishonesty. Noncompliance can lead to a range of consequences, including auditors’ admonitions, court mandates for removal as plan fiduciaries, plan fiduciary personally liability for losses that should have been covered by a fidelity bond, and EBSA administrative penalties for breach of fiduciary duty. See DOL’s Protect Your Employee Benefit Plan With A Fidelity Bond; Getting It Right: Know Your Fiduciary Responsibilities.

Managing Bonding And Bonding Risks

To avoid violating the bonding requirements, fiduciaries and service providers should both review service agreements and the functional realities to confirm whether any party “handles” funds and to ensure compliance with ERISA bonding requirements.

Service providers that engage in the performance of activities that involve or are likely to be recharacterized as involving the exercise of discretion or the handling of funds should give serious consideration to arranging to maintain a fidelity bond that meets ERISA’s requirement, whether or not the service provider acknowledges or disclaims its status as a fiduciary or handler of plan funds.

Since noncompliance with the bonding requirement is a breach of the fiduciary responsibility requirements of ERISA that could render the fiduciary personally liable for unbonded losses, plan fiduciaries generally should conduct and retain a documented analysis capturing their consideration of whether they and other fiduciaries, service providers, and other members of the plan workforce ar required to be bonded and if so, the actions taken to require and monitor compliance with applicable bonding requirements. Examples of best practices include:

Include bonding requirements in plan documents and contracts;
Conduct and maintain a documented assessment of the applicability of the bonding requirements when appointing or renewing the appointment of a fiduciary, third party service provider or workforce member to participate in the management or operations of the plan or its assets; and
Obtain and review bonds obtained to cover fiduciaries and service providers to verify their currency and adequacy;

When the factual realities raise the possibility that an individual or a party might possess or exercise fiduciary discretion or handle funds, fiduciaries generally will want to err in favor of requiring bonding to protect the plan and to protect themselves against the personal liability that can arise under ERISA Section 502(l) for violation of the bonding requirements, unbonded plan losses arising from fraud or loss by the service provider or both.

About the Author

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Verify ERISA Bonding Compliance | 401(k), Corporate Compliance, ERISA, Fiduciary Responsibility, group health plan, health plan, Health Plans, retirement plan, Retirement Plans, Retirements, self insured health plan | Tagged: business, Finance, investing, personal-finance, retirement-planning | Permalink
Posted by Cynthia Marcotte Stamer

New PBGC Director Sworn In

November 9, 2025

Janet Dhillon was sworn in as the 17th director of the Pension Benefit Guaranty Corporation (“PBGC”) on November 3, 2025.

Dhillon succeeds Gordon Hartogensis, who served as director from May 2019 to April 2024.

Dhillon previously served as acting assistant secretary and principal deputy assistant secretary of the Department of Labor’s Employee Benefits Security Administration (“EBSA”).

From May 2019 to November 2022, Dhillon was a commissioner on the U.S. Equal Employment Opportunity Commission (“EEOC”) and served as its chair from May 2019 to January 2021.

Outside of government, Dhillon served as the general counsel of several Fortune 500 companies, including US Airways Group, Inc., JC Penney Company, Inc., Burlington Stores, Inc. and Dollar Tree, Inc. She began her legal career at the law firm of Skadden, Arps, Slate, Meagher & Flom LLP.

Dhillon earned her Juris Doctor from UCLA School of Law and a Bachelor of Arts from Occidental College in Los Angeles.

PBGC administers two insurance programs designed to safeguard pension plan participants in distressed plans: (1) The Single-Employer Program is financed by insurance premiums, investment income, and assets and recoveries from failed single-employer plans. (2) The Multiemployer Program that insures private sector union pension plans is financed by insurance premiums and investment income. Special financial assistance for financially troubled multiemployer plans is financed by general taxpayer monies.

The overall funded status of multi employer pension plans has improved substantially in recent years, primarily due to the Special Financial Assistance (SFA) program under the American Rescue Plan Act of 2021 (ARPA).

The aggregate funded percentage for all multiemployer plans was an estimated 100% as of mid-2025, up from 97% at the end of 2024.

Without the SFA program, the aggregate funded percentage would be closer to 91%. As of June 30, 2025, 122 plans had received nearly $73 billion in SFA, which has prevented many from becoming insolvent.The financial outlook for the Pension Benefit Guaranty Corporation’s (PBGC) multiemployer program, which was previously projected to run out of money, has stabilized, with a projected solvency date beyond 2063.

While private sector pension fund is stabilizing, funding concerns remain about many public sector pension plans.

The “vast majority” of public plans are considered fragile (funded ratio of 60% to 90%) or distressed (funded ratio below 60%).

Unfunded liabilities for state and local plans have remained above $1 trillion since the 2008 Financial Crisis, standing at an estimated $1.2 trillion in 2025.

As of late 2025 data, states with the most distressed plans (lowest funded ratios) include Illinois, New Jersey, Kentucky, and Mississippi.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on New PBGC Director Sworn In | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Make Plan Terms For Determining Beneficiaries Clear

November 4, 2025

A recent Northern District of Texas ruling reminds life insurance and other benefit plan sponsors, fiduciaries, administrators and insurers of the benefits of including clear, unambiguous beneficiary designations in their plan documents.

The District Court in Metropolitan Life Insurance Co. v. Wallace granted a domestic partner and common-law wife’s summary judgment for ERISA plan life insurance proceeds in an interpleader action brought against the plan.

The action arose after the insured died without designating a beneficiary.

Ambiguous beneficiary designation provisions can expose plans and their fiduciaries to significant cost or expense where the plan doesn’t contain clear rules. In this case, the plan document has clear provisions for determining the beneficiary.

The Court found the plan terms mandated that the plan distribute benefits to a spouse or domestic partner before the deceased’s parents. Accordingly, distribution to the common law spouse or domestic partner was upheld.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Make Plan Terms For Determining Beneficiaries Clear | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Roth Catch-up Contribution Rules Amended For SECURE 2.0 Act of 2022

September 22, 2025

The Department of Treasury and the IRS issued final regulations amending the Roth catch-up contribution regulations under IRC Sections 401(k), 403(b), and 414(v). The regulations provide guidance for retirement plans that permit participants who have attained age 50 to make additional elective deferrals that are catch-up contributions. The regulations reflect statutory changes made by the SECURE 2.0 Act of 2022, including the requirement that catch-up contributions made by certain catch-up eligible participants must be designated Roth contributions.

These final regulations generally apply with respect to contributions in taxable years beginning after December 31, 2026. However, the preamble and Applicability Dates section provide additional details regarding applicability dates.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Roth Catch-up Contribution Rules Amended For SECURE 2.0 Act of 2022 | Corporate Compliance | Tagged: Employee Benefits, Roth | Permalink
Posted by Cynthia Marcotte Stamer

Stamer Conducting Cybersecurity Jedi Skills Training At ISSA Security Summit 2025 CISO Forum On 9/17

July 24, 2025

The Information Systems Security Association (“ISSA”) – Los Angeles Chapter (“ISSA-LA”) recently confirmed that Solutions Law Press publisher and author Cynthia Marcotte Stamer will conduct “Cybersecurity Jedi Skills Training” at the 2025 Annual Security Summit 2025 ISSA-LA is hosting on September 17-18, 2025, at the Annenberg Beach House in Santa Monica, California.

Under constant threat from potentially draconian operational, financial and legal mayhem from cybercriminals’ ransomware and other cyberattacks, organizations, investors, breach victims, business partners, and federal and state regulators increasingly expect cybersecurity and other IT leaders to defend their organization’s proprietary knowledge, workforce, finance, and other mission critical data and systems cyberthreats from dark web with the skill of Jedi knights. While even the most skilled cyberwarriors can’t render their data and operating systems impenetrable against these attacks, cybersecurity professionals and their organizations should engage in constant training and preparation to protect themselves and their organizations from the fallout that commonly follows from a data or systems breach or failure.

The September 17, 2025, “Cybersecurity Jedi Skills Training” workshop that Ms. Stamer will conduct is designed to help CISOs, Directors of Information Security and other leaders strengthen their cybersecurity prevention and response strategies for enhanced defensibility. Drawing from her decades of experience advising and defending data-reliant organizations and their leaders, her workshop will:

Arm cybersecurity leaders with knowledge about how data, systems, and technology can either promote or undermine legal defensibility, and share basic principles and strategies for designing and using technology and data to advance legal goals and defensibility.
Empower cybersecurity defenders with insights into key cybersecurity, privacy, electronic data, and technology-related traps that impact defense and response strategies.
Highlight how cyber events and violations of computer, securities, antitrust, and other laws can expose organizations and their leaders to criminal, civil, and administrative liability.
Reveal key evidentiary practices and processes to use during compliance, contracting, audits, investigations, governance, incident management, and response, as well as when dealing with government or other investigations, to promote and strengthen defensibility and mitigate risks.

Ms. Stamer has developed the training from her decades of experience helping highly regulated and other performance and data-sensitive organizations and their leaders use the law, process, technology and other legal, risk management and operational tools to promote defensibility, mitigate risk, enhance operational effectiveness, and manage change and uncertainty. The founding and Managing Member of the Cynthia Marcotte Stamer, P.C. law firm, Ms. Stamer has used her extensive legal and operational knowledge to provide practical, client-centric advice, tools and solutions to help a diverse array of U.S. and multinational business, government, and community organizations, to design, manage and defend their people; compensation and benefits; technology, data privacy and security; regulatory compliance; and other operations-critical risks and performances for more than 35 years. She is best known for her work with employer and other workforce, health, employee benefits, insurance, data and technology, financial and government organizations, and their technology and other developers and vendors, all of which bear significant data privacy and security obligations.

Longtime Scribe leading the American Bar Association (“ABA”) JCEB Annual Agency Meeting with the HHS Office of Civil Rights; incoming Intellectual Property Section Information Technology Committee Vice Chair, and a widely published author, speaker and thought leader on cybersecurity and other data and technology use, privacy and protection, Ms. Stamer’s process-oriented work throughout her career continuously has included helping clients use and defend their data and technology practices, investigating and responding to data and technology breaches, events, threats and regulations; and dealing with insurers, federal and state legislators, regulators and investigators on cybersecurity and other data and technology concerns. Her cutting-edge work, scholarship and thought leadership, advocacy and community service have earned her recognition as a “Top Woman Lawyer;” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; “Best Lawyer” in “Labor and employment,” “Tax: ERISA & Employee Benefits,” “Health Care,” and “Business and Commercial Law.” For additional information about Ms. Stamer or her services, see here or contact Ms. Stamer directly.

Ms. Stamer’s “Cybersecurity Jedi Skills Training” is part of two days of professional training and networking that ISSA-LA is presenting at its Annual Security Summit 2025. Founded in 1982 by Sandra Lambert and Nancy King, ISSA-LA is the premier catalyst and community resource in Southern California for improving the practice of information security. A 501(c)(3) organization and the founding Chapter of the ISSA®, ISSA-LA provides various training classes and lectures for information Security and IT professionals throughout the year and at the annual Summit. ISSA-LA meets monthly for dinner and regularly collaborates with other IT and Cybersecurity organizations, having joint meetings and social events with the Women’s Society of Cyberjutsu, the Cloud Security Alliance, and the Association of IT Professionals, to name a few. To register, review the schedule, information about sponsorship, or other details about the Annual Security Summit 2025 or ISSA-LA, see here.

For More Information

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Stamer Conducting Cybersecurity Jedi Skills Training At ISSA Security Summit 2025 CISO Forum On 9/17 | Corporate Compliance | Tagged: AI, Cyber Security, Cybersecurity, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Delta Pays $8 Million Plus For Misuse Of COVID Payroll Support Funds

July 15, 2025

Employers that collected payments under the COVID-era Department of the Treasury Payroll Support Program (“PSP”) should heed the $8,100,000 Delta Airlines is paying as a reminder to ensure their own compliance with any COVID-19 relief programs.

The Justice Department announced today that Delta Air Lines Inc., headquartered in Atlanta, Georgia, has agreed to pay to resolve allegations that it violated the False Claims Act by awarding compensation to certain corporate officers and employees that exceeded the compensation limits Delta agreed to as part of its participation in the PSP program.

The settlement is an example of some of the aggressive audit and enforcement activities the federal government is now pursuing against recipient of COVID relief funds. recipients of such funds should verify that they can demonstrate compliance with all requirements of the program recipients who discover compliance deficiencies, should seek the advice of experienced counsel to assist in seeking a voluntary resolution for any compliance deficiencies to minimize exposures.

For More Information Or Help

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Delta Pays $8 Million Plus For Misuse Of COVID Payroll Support Funds | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

DOJ Nails Employer For Discriminating In Favor Of Noncitizen Workers

July 15, 2025

The $250,000 a Mississippi employer is paying for discriminating in favor of non-citizen visa holders warns all US employers against discriminating against legally authorized workers based on national origin.

The settlement agreement with H2A Complete II Inc., that the Justice Department announced today reminds US employers not to discriminate among workers, legally authorized to work in the United States in employment practices based differences in the basis of their eligibility to work or national origin.

The settlement resolves charges that H2A Complete II Inc. violated the Immigration and Nationality Act (“INA”) by unfairly favor H-2A visa holders over U.S. workers for agricultural employment opportunities.

The second “Protecting U.S. Workers Initiative” settlement under the second Trump Administration, the settled demonstrates the Administration’s commitment to targeting, investigating, and bringing enforcement actions against employers that intentionally discriminate against U.S. workers due to a preference for temporary visa workers.

Under the settlement, the company will pay $25,000 in civil penalties to the United States, undergo training, revise its employment policies, and not include excessive experience requirements in job postings that are unlawfully aimed at excluding U.S. workers from employment opportunities.

The announcement of the settlement quotes Attorney General Pamela Bondi as stating, “This Department of Justice will continue to protect our country’s workers from unlawful discrimination in favor of foreign nationals.”

“DOJ’s Civil Rights Division is protecting American workers from unlawful discrimination by employers that prefer to hire foreign visa workers instead of U.S. workers,” said Assistant Attorney General Harmeet K. Dhillon of the Justice Department’s Civil Rights Division. “Protecting job opportunities for the American workforce is one of our top priorities.”

Although the Trump administration has made protecting US worker jobs, a priority, US employers should keep in mind that federal law, generally prohibits discrimination based on national origin or legal status to work, except where specifically provided by law. Accordingly, employers should be prepared to demonstrate that choices among applicants are made based on merit. employers should not apply a bias in favor of workers of a particular eligibility to work status, such as citizenship, or holding a particular type of visa, unless that status is specifically required by the applicable requirements of law for the position.

For More Information Or Help

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on DOJ Nails Employer For Discriminating In Favor Of Noncitizen Workers | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

DB Plan Mortality Tables Updated

July 15, 2025

The Internal Revenue Service (“IRS’) is updating the mortality tables used for defined benefit plans and determining minimum present values for annuity distributions.

Notice 2025-40 specifies updated static mortality tables to be used for defined benefit pension plans under § 430(h)(3)(A) of the Code and section 303(h)(3)(A) of ERISA. This notice also specifies a mortality table for use in determining minimum present value under § 417(e)(3) of the Code and section 205(g)(3) of ERISA for distributions with annuity starting dates that occur during stability periods beginning in the 2026 calendar year.

The Notice is scheduled for publication in IRB: 2025-31, dated July 28, 2025.

For More Information Or Help

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on DB Plan Mortality Tables Updated | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Prepare For Marketplace Rule Change Fallout

June 26, 2025

A new Department of Health and Human Services Final Rule will tighten subsidy eligibility and implement other reforms for the the Heathcare Marketplace insurance plans created under the Patient Protection and (“ACA”). Health plan sponsors and providers should take into account the probable effect of enrollment and coverage pattern changes these changes will cause for groups of workers and other individuals currently relying on subsidies to maintain Marketplace coverage in their planning, budgeting and compliance.

The 2025 Marketplace Integrity and Affordability Final Rule (“Rule”) reverses Biden Administration rules that lowered requirements for individuals to receive subsidies to pay costs for purchasing health coverage and eased other requirements for Exchange coverage.

According to the now Trump Administration-led Centers for Medicare & Medicaid Services (“CMS”), improper ACA enrollments enabled by weakened verification processes and expanded premium subsidies triggered widespread fraud. Research shows that in 2024, an estimated 5 million people may have been improperly enrolled, costing taxpayers as much as $20 billion^[1].

To address these concerns, the new Rule:

Repealing the monthly special enrollment period (SEP) for individuals with projected household incomes at or below 150% of the federal poverty level, a policy used by some agents and brokers to improperly enroll ineligible consumers and perform unauthorized plan switching to gain commissions;
Requiring income verifications to ensure people qualify for the premium subsidies they receive;
Conducting eligibility verifications for the majority of enrollments through SEPs, closing loopholes that allowed people to wait to enroll until they needed care and improving the risk pool, which can lower premiums for middle-class families not receiving subsidies;
Reducing advanced payments of the premium tax credit (APTC) by $5 a month for individuals who are auto re-enrolled in fully-subsidized plans without eligibility verification, ensuring consumers are aware of and engaged in their health coverage; and
Standardizing the Annual Open Enrollment Period starting with the 2027 plan year so that it ends by December 31 for all health insurance exchanges, encouraging people to maintain year-round health coverage rather than waiting until they get sick to enroll, which helps keep insurance affordable for everyone.

CMS says many changes are “temporary” measures set to sunset at the end in 2026 to immediately tamp down on the outflow of funds to ensure that eligibility verification processes work efficiently and allow qualified enrollees to access ACA Exchange coverage without fear of coverage gaps or surprise tax liabilities resulting from the improper actions of third parties.

To ensure federal subsidies for coverage through ACA Exchanges only support the statutory requirements and goals of the ACA, CMS also is:

Prohibiting federal subsidies from being used to help cover the cost of specified sex-trait modification procedures to align an individual’s physical appearance or body with an asserted identity that differs from the individual’s sex; and
Reinstating HHS’ longstanding 2012 interpretation of “lawfully present” to exclude Deferred Action for Childhood Arrivals (DACA) recipients from eligibility and enrollment in ACA Exchange coverage and Basic Health Program (BHP) coverage in States that elect to operate a BHP, including APTC, premium tax credits, and cost-sharing reductions.

CMS says these reforms address “improper enrollments and the improper flow of federal funds implemented during the Biden Administration.

Group health plans, their employer and other sponsors should prepare for potential implications of these changes on their workforce and health plans. These are likely to vary among employers and plans. Possible effects could include:

An increase in the number of uninsured workers or dependents;
Effects on Affordable Care Act and other testing;
New inquiries and requests for special or other enrollment;
Potential new notification and enrollment requirements;
Potential increases in occupational illness, sick or disability leave, absenteeism and presenteeism from uncovered workers; and
More.

Considering these and other effects can help health plans, their sponsors, and employees to prepare for and respond to these effects.

If you have questions or need help with these or other employee benefits concerns, contact the author of this update, Cynthia Marcotte Stamer, who is a Fellow in the American College of Employee Benefits Counsel with decades of employee benefits experience.

More Information Or Help

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, insurance, or health care legal developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

About the Author

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Prepare For Marketplace Rule Change Fallout | Corporate Compliance | Tagged: ACA, Affordable Care Act, Employee Benefits, Employer, Employers, ERISA, Health Care, Health Care Reform, Health Insurance, Health Plans, Human Resources, Insurance, marketplace | Permalink
Posted by Cynthia Marcotte Stamer

Share Ideas About Patient Empowering Health Technology With HHS By 6/16

May 14, 2025

Group health plans, their employer and union sponsors, fiduciaries, insurers, administrators, communications and information technology vendors and participants interested in promoting technologies to help patients control their health and wellness have until June 16, 2025 is to share input with the Centers for Medicare & Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) in response to their currently open request for information (“RFI”).

Following up on the CMS Interoperability and Patient Access Final Ruleand part of Secretary Kennedy’s effotts to “Make America Healthy Again,” the agencies are inviting public input on designing a seamless, secure, and patient-centered digital health infrastructure that will help seniors and their families use modern technology to control of their health and well-being, manage chronic conditions, and access care more efficiently.

The RFI invites input from patients, caregivers, providers, payers, technology developers, and other stakeholders on how CMS and ONC can:

Drive the development and adoption of digital health management and care navigation applications;
Strengthen interoperability and secure access to health data through open, standards-based technologies;
Identify barriers preventing the seamless exchange of health information across systems; and
Reduce administrative burden while accelerating progress toward value-based, patient-centered care.

Many employee benefit plans, their sponsors and vendors have extensive experience and interest in the use of mobile applications and other technologies by plan members and their caregivers. Interested parties should consider sharing insights to help promote awareness of helpful designs and to deter investments or mandates of unhelpful technologies.

For More Information Or Help

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Share Ideas About Patient Empowering Health Technology With HHS By 6/16 | Corporate Compliance | Tagged: Employee Benefits, Employer, Employers, ERISA, Health Insurance, Health IT, Health Plans, HIPAA, Human Resources, Patient Empowerment | Permalink
Posted by Cynthia Marcotte Stamer

IRS Reduces Plan Sponsors Required To Request Approval For Special Mortality Table Use In Retirement Plan Funding Calculations

May 7, 2025

The Internal (“IRS”) is limiting the circumstances under which plan sponsors wishing to use special mortality tables to calculate defined benefit plan funding requirements must obtain IRS approval.

Revenue Procedure 2024-32 specifies the procedure by which the sponsor of a defined benefit plan that is subject to the funding requirements of § 430 of the Internal Revenue Code (the “Code”) may request approval from the IRS to use plan-specific substitute mortality tables in accordance with § 430(h)(3)(C) and § 1.430(h)(3)-2 of the Treasury Regulations.

Section 12.02 of Rev. 2024-32 in conjunction with the replacement of the generally applicable mortality tables, certain plan sponsors that wish to continue using plan-specific mortality tables must develop and request Internal Revenue Service (“IRS”) approval for the use of new plan-specific substitute mortality tables for plan years beginning on or after January 1, 2026. Section 303(h)(3)(C) of Employee Retirement Income Security Act of 1974, as amended (“ERISA”) also requires covered plan sponsors to obtain this IRS approval for continued use of new plan-specific mortality tables for purposes of the parallel funding rules of Section 302 of ERISA and the additional funding rules for defined benefit plans (other than multiemployer plans) under ERISA Section 303.

In a regulatory review prompted by President Trump’s Executive Order 14219, Ensuring Lawful Governance and Implementing the President’s “ Department of Government Efficiency” Deregulatory Initiative (Executive Order 14219), the IRS determined these requirements should be simplified. Consequently, Rev. Proc. 2025-21 modifies section 12.02 of Rev. Proc. 2024-32 to provide immediate relief for certain plan sponsors by narrowing the category of plan sponsors required to request approval of new plan-specific substitute mortality tables.

Specifically, Section 12.02 of Rev. Proc. 2024-32 is revised to provide that except for plans using a mortality ratio determined with combined genders, plans with significant coverage changes cannot use a substitute mortality table first approved for use for a plan year that began before January 1, 2025 for a plan year beginning on or after January 1, 2026 when the number of individuals covered by the substitute mortality table is less than 80 percent or more than 120 percent of the average number of individuals in that population over the 12-month periods covered by the experience study regardless whether the actuary makes the certification described in § 1.430(h)(3)2(c)(6)(iii)(A) for plans using a mortality ratio determined with combined genders.
If Substitute Base Tables for a plan (or plans) were developed using the option in Treasury Regulation § 1.430(h)(3)-2(d)(6) to determine a single mortality ratio for both genders in a population, however, the early termination of the permitted use of a substitute mortality table will not apply if the total number of individuals covered by the substitute mortality tables developed using that mortality ratio is not less than 80 percent and not more than 120 percent of the average number of individuals in the population used to determine that mortality ratio over the 12-month periods covered by the experience study, provided that the plan actuary certifies in writing to the satisfaction of the Commissioner that the substitute mortality tables used for the population continue to be accurately predictive of future mortality of that population (taking into account the effect of the change in the population) as described in § 1.430(h)(3)-2(c)(6)(iii)(A).

This change applies to all requests for approval to use plan-specific substitute mortality tables in accordance with § 430(h)(3)(C) for which the first year that the substitute mortality tables would apply begins on or after January 1, 2026.

The IRS officially will publish Revenue Procedure 2025-21 in IRB 2025-22, dated May 27, 2025.

More Information Or Help

About the Author

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on IRS Reduces Plan Sponsors Required To Request Approval For Special Mortality Table Use In Retirement Plan Funding Calculations | Corporate Compliance, Defined Benefit Plans, Employee Benefits, Employer, Employers, retirement plan, Retirement Plans, Retirements, Risk Management | Permalink
Posted by Cynthia Marcotte Stamer

DOJ Sues Medicare Advantage Insurers & CVS Under False Claims Act & Antikickback Statute

May 5, 2025

The Department of Justice is suing three of the nation’s largest health insurance companies — Aetna Inc. and affiliates, Elevance Health Inc. (formerly known as “Anthem”), and Humana Inc., CVS Health Corporation, and three large insurance broker organizations — eHealth, Inc. and an affiliate, GoHealth, Inc., and SelectQuote Inc. for violating the False Claims Act (“FCA”) and Antikickback Statute. In the second complaint of its kind in recent months, the Justice Department complaint in ex rel. Shea v. eHealth, et al., No. 21-cv-11777 (D. Mass. May 5, 2025) accuses the defendants of paying or receiving kickbacks to steer Medicare Advantage enrollees to the defendant insurers.

Medicare Advantage Antikickback & False Claims Rules

Under the Medicare Advantage (“MA”) Program, also known as Medicare Part C, Medicare beneficiaries may choose to enroll in health care plans (MA plans) offered by private insurance companies, like defendants Aetna, Anthem, and Humana. Many Medicare beneficiaries rely on insurance brokers to help them choose an MA plan that best meets their individual needs.

Under the FCA, private parties can file an action on behalf of the United States and receive a portion of the recovery. The FCA permits the United States to intervene in and take over the action, as it has done here. If a defendant is found liable for violating the FCA, the United States may recover three times the amount of its losses plus applicable penalties

In a lawsuit originally filed by a former eHealth employee as a qui tam whistleblower complaint, the Justice Department charges that the defendant insurers paid hundreds of millions of dollars in illegal kickbacks to the defendant brokers in exchange for enrollments into the insurers’ Medicare Advantage plans from 2016 through at least 2021. Rather than acting as unbiased stewards, the Justice Department charges that the defendant brokers allegedly directed Medicare beneficiaries to the plans offered by insurers that paid brokers the most in kickbacks, regardless of the suitability of the MA plans for the beneficiaries.

According to the complaint, the broker organizations incentivized their employees and agents to sell plans based on the insurers’ kickbacks, set up teams of insurance agents who could sell only those plans, and at times refused to sell MA plans of insurers who did not pay sufficient kickbacks.

The Justice Department also alleges that Aetna and Humana each conspired with the broker defendants to discriminate against Medicare beneficiaries with disabilities whom they perceived to be less profitable. Aetna and Humana allegedly did so by threatening to withhold kickbacks to pressure brokers to enroll fewer disabled Medicare beneficiaries in their plans.

The Justice Department further alleges that, in response to these financial incentives from Aetna and Humana, the defendant brokers or their agents rejected referrals of disabled beneficiaries and strategically directed disabled beneficiaries away from Aetna and Humana plans.

Commonwealth Care Alliance Prior Kickback Settlement

The eHealth suit against the defendants is not first of its kind. In January, 2025, the Justice Department announced that MA Program insurer Commonwealth Care Alliance, Inc. (“CCA”) agreed to pay $520,355.65 to resolve allegations that Reliance HMO, Inc. (“Reliance”), a company CCA acquired in 2022, violated the FCA by providing cash payments to induce the referral of Medicare beneficiaries to enroll in Reliance’s Medicare Advantage Plan in violation of the Anti-Kickback Statute after CCA voluntarily self-disclosed the conduct to the U.S. Attorney’s Office.

In April 2019, CMS authorized Reliance to operate a MA plan for Medicare beneficiaries in Michigan, with beneficiaries receiving coverage starting in January 2020. On March 31, 2022, CCA announced the completion of its acquisition of a 70% stake in Reliance. After the acquisition, CCA identified concerns regarding certain marketing-related outreach and payments that Reliance agents had made to personnel at physician practices. In particular, CCA disclosed two schemes.

First, from April 12, 2019, through December 22, 2020, Reliance provided cash payments to healthcare professionals and administrative staff in physician practices, in exchange for providing Reliance with the contact information for patients who had agreed, through executing so-called “permission to contact” cards, to be contacted by Reliance regarding its MA plan offerings.

Second, in November 2019, prior to Reliance’s MA plan becoming active, Reliance paid each of four physicians and physician practices $2,500, which Reliance characterized as advances on “coordination of care” services to be provided by the physicians to beneficiaries when the MA plan became active in 2020.

The Justice Department alleged these payments were intended to induce the referral, recommendation, or arrangement of enrollment of Medicare beneficiaries in Reliance’s MA plan. Such payments, the United States alleges, were impermissible kickbacks in violation of the False Claims Act.

The CCA settlement resolved these charges. The settlement gave CCA credit for voluntarily self-disclosing this conduct to the Justice Department; taking remedial measures, including terminating the employees directly involved with the decision to offer the prohibited payments; and providing the United States with a detailed written statement describing its investigation, along with other supplemental information to assist the United States in its investigation.

Alleged Medicare Advantage Insurer Risk Adjustment Padding

Medicare Advantage insurers also are under investigation by the Justice Department for other alleged abuses. The Justice Department recently has investigated certain Medicare Advantage insurers for alleged manipulation of risk data to increase their capitated payments from Medicare. For Instance, the Justice Department recently sued MA Program insurer Independent Health Association and its affiliate, Independent Health Corporation (collectively, “Independent Health”) for allegedly illegally manipulating risk data used to set risk adjustment rates paid by Medicare to their Medicare Advantage plans in United States ex rel. Ross v. Independent Health Association et al., No. 12-CV-0299(S) (WDNY). To settle the litigation, Independent Health agreed to pay up to $98 million to resolve allegations that it violated the False Claims Act by knowingly submitting or causing the submission of invalid diagnosis codes to Medicare for Medicare Advantage Plan enrollees to increase payments that Independent Health received from Medicare. Under the terms of the settlement, Independent Health promised to make guaranteed payments of $34,500,000 and contingent payments of up to $63,500,000 on behalf of itself and DxID, which ceased operations in 2021. Its Chief Executive Officer separately agreed to pay $2,000,000. In addition, Independent Health entered into a five-year corporate integrity agreement (“CIA”) with HHS-OIG that requires among other things, that Independent Health hire an Independent Review Organization to annually review a sample of Independent Health’s Medicare Advantage patients’ medical records and associated internal controls to help ensure appropriate risk adjustment payments.

The Justice Department touts all of these and other investigations and enforcement actions against Medicare Advantage insurers as demonstrating its commitment to hold Medicare Advantage insurers and brokers accountable for kickbacks or other misconduct. In the Justice Department’s press release about the e-Health litigation, Deputy Assistant Attorney General Michael Granston of the Justice Department’s Civil Division. “We are committed to rooting out illegal practices by Medicare Advantage insurers and insurance brokers that undermine the interests of federal health care programs and the patients they serve.”

Risks For Insurers, Brokers, Health Plans & Fiduciaries

These and other actions send a strong warning to insurers and brokers to abstain from prohibited risk adjustment, kickbacks, or other prohibited conduct. Brokers and insurers also should keep in mind that these activities- whether in connection with the sale of Medicare Advantage or other insurance products Past history demonstrates that these activities carry risks beyond the Antikickback Statute and False Claims Act. They also can create exposures under other federal or state laws. The 2004 bid rigging prosecution of Marsh & McClennon by then New York Attorney General Elliott Spitzer is illustrative. On October 14, 2004, then New York State Attorney General Eliot Spitzer sued Marsh & McClennan and Marsh, Inc. (“Marsh”) for bid rigging and violation of various other state laws through its compensation arrangements between Marsh and several insurance companies, and bidding manipulation by Marsh. The largest U.S. insurance broker at the time, Marsh agreed in January 2005 to pay $850 million and end improper bid-rigging in a civil settlement with Spitzer. Attorney General Spitzer also brought criminal charges against individuals involved, some of which produced several guilty pleas. The last of these criminal prosecutions dragged on until 2011, when the New York Attorney General finally dismissed the remaining criminal charges against former Marsh executive marketing director William Gilman and former Marsh global placement director Edward McNenney. Marsh and others also faced charges in other states and private litigation from the scandal.

Kickbacks or other inappropriate compensation arrangements between insurers, brokers or other plan service providers also can create issues for health plan fiduciaries, sponsors, brokers and advisors. Self-insured health plan sponsors, fiduciaries, administrators and their consultants, brokers and insurers also should keep in mind that practices like those challenged in the Justice Department actions also are likely to raise concerns under the fiduciary responsibility and prohibited transaction rules of the Employee Retirement Income Security Act of 1974 (“ERISA”). Consequently, employer and other plan sponsors, their fiduciaries, and their brokers and advisors may wish to visit with experienced legal counsel about the advisability of conducting due diligence into the past, current, or future plan vendor relationships with their own programs.

The Justice Department is touting the lawsuit as an example of its commitment to hold Medicare Advantage insurers and brokers accountable for kickbacks or other misconduct. In the Justice Department’s press release about the action, Deputy Assistant Attorney General Michael Granston of the Justice Department’s Civil Division. “We are committed to rooting out illegal practices by Medicare Advantage insurers and insurance brokers that undermine the interests of federal health care programs and the patients they serve.”

More Information Or Help

About the Author

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on DOJ Sues Medicare Advantage Insurers & CVS Under False Claims Act & Antikickback Statute | compliance, Corporate Compliance, Discrimination, false claims act, health benefit, Health Benefits, health insurance, health insurance marketplace, health plan, Health Plans, Insurance, insurance fraud, Managed Care, Medicare Advantage, pharmacy | Permalink
Posted by Cynthia Marcotte Stamer

Trump Administration Enforcement Priorities Require Cautious Handling Of Religious Accommodation Requests

May 4, 2025

A $95,000 settlement of a Justice Department religious discrimination lawsuit alerts businesses to use care when handling religious accommodation requests in employment or other aspects of their operations in light of the Trump Administration’s announced enforcement priorities.

The Civil Rights Act of 1964 (“CRA”) prohibits discrimination on the basis of sex, race, color, national origin or religion. The Justice Department warns enforcing the CRA’s religious protections is a Trump Administration priority in its May 2, 2025 announcement of a consent decree settlement of its CRA Title VII religious discrimination lawsuit against the Advanced Science and Technology Education Charter Schools (“ASTEC”) in Oklahoma City, Oklahoma.

The lawsuit alleges ASTEC discriminated against Marcus Rethwill, a former teacher at the school, on the basis of religion, in violation of Title VII of the Civil Rights Act of 1964, by terminating him after denying his request for a religious exemption from ASTEC’s vaccine mandate for employees because he could not provide a clergy letter supporting his request.

Under the consent decree, ASTEC will pay Rethwill $95,000 in monetary damages, revise its anti-religious discrimination policy, and provide mandatory training on the policy to personnel.

The consent decree announcement follows President Trump’s declaration of the protection of religious rights a priority of his second administration. See, e.g., Executive Order 14205—Establishment of the White House Faith Office.

In his February 12, 2025 Executive Order 14202-Eradicating Anti-Christian Bias, President Trump declared:

It is the policy of the United States, and the purpose of this order, to protect the religious freedoms of Americans and end the anti-Christian weaponization of government. …

My Administration will not tolerate anti-Christian weaponization of government or unlawful conduct targeting Christians. The law protects the freedom of Americans and groups of Americans to practice their faith in peace, and my Administration will enforce the law and protect these freedoms. My Administration will ensure that any unlawful and improper conduct, policies, or practices that target Christians are identified, terminated, and rectified.

That Executive Order tasks all federal agencies to root out “anti-Christian bias” from the government.President Trump’s May 1, 2025, Executive Order On The Establishment Of The Religious Liberty Commission declares:

It shall be the policy of the executive branch to vigorously enforce the historic and robust protections for religious liberty enshrined in Federal law.

The Justice Department warns other employers against violating their employees’ religious rights in its announcement of the consent decree. The announcement quotes Assistant Attorney General Harmeet K. Dhillon of the Justice Department’s Civil Rights Division as warning:

When employees’ religious principles conflict with work rules, they should not be forced to choose between practicing their religion and keeping their jobs if a reasonable accommodation can be made. … Employer policies that rigidly restrict how employees can demonstrate the sincerity of their religious beliefs for religious accommodations are inconsistent with the breadth of Title VII’s protection against religious discrimination.

It also quotes U.S. Attorney Robert J. Troester for the Western District of Oklahoma as stating

No employee should be forced to violate their religious beliefs just to keep their job. …

Employers must take care not to craft or apply policies that require employees to forfeit their religious beliefs or impose unreasonable conditions that question the sincerity of those beliefs.

Other recent Justice Department investigation and enforcement actions clearly signal the Administration’s policy of enforcing religious rights extends beyond employment.

On April 29, 2025, for instance, the Justice Department filed a statement of interest in the private lawsuit, Grace New England v. Town of Weare, alleging that the town violated the Religious Land Use and Institutionalized Persons Act (“RLUIPA”) by threating fines against a small home-based church and its pastor.

The U.S. Department of Veteran Affairs and State Department reportedly have ordered employees to report employees displaying “anti-Christian bias” as part of its effort to implement a sweeping new executive order on supporting employees of Christian faith working in the federal government.

Widely-reported investigations and announced cancelations of federal grants or contracts, efforts to revoke tax-exempt status and other actions against Columbia University, Harvard University and others signal Jewish and other religions also may fall under these protections and that private sector organizations also are targeted for investigation and enforcement. It remains to be seen how the Administration will handle other religious discrimination claims. However organizations also must manage exposures to private federal and state claims.

In response to these investigation and enforcement priorities, all covered organizations should seek the advice of experienced legal counsel about evaluating and managing their own exposures to open past, current and potential future religious discrimination claims.

These efforts generally should include a comprehensive review and update of current policies and training, as well as an evaluation of exposure from open religious accommodation or other religious bias exposures within the scope of attorney-client privilege.

For More Information Or Help

We hope this update is helpful. For more information about these discrimination or other workforce, employee benefits, health care, risk management or compliance, or other challenges or developments, contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on religious and other discrimination in connection with her work with employers, health care and life sciences, employee benefits, insurance, education, technology, education, government contractors, and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of employment and other services, employee benefit,, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and on its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Trump Administration Enforcement Priorities Require Cautious Handling Of Religious Accommodation Requests | Civil Rights, compliance, Corporate Compliance, corporate governance, COVID, COVID-19, Diversity, EEOC, employee, Employer, Employers, Employment, Employment Discrimination, Employment Policies, OFCCP, Real Estate, Religious Organization, Religous Discrimination, Restructuring, Retaliation, Supreme Court, Training | Tagged: Corporate Compliance, Disability Discrimination, Discrimination, Employee Benefits, Employer, Employment, employment law, Human Resources, Management | Permalink
Posted by Cynthia Marcotte Stamer

2026 HRA Inflation Adjustments Announced

May 4, 2025

The Internal Revenue Service (“IRS”) published advanced notice of the 2026 inflation adjusted amounts for Health Savings Accounts (“HSAs”) § 223 of the Internal Revenue Code (“Code”) and the maximum amount that may be made newly available for excepted benefit health reimbursement arrangements (HRAs) provided under § 54.9831-1(c)(3)(viii) of the Pension Excise Tax Regulations.

In calendar year 2026, these amounts are as follows:

The annual limitation on deductions under § 223(b)(2) for an individual with coverage under a high deductible health plan for self-only is $4,400 and for family coverage under a high $8,750.
A “high deductible health plan” under § 223(c)(2)(A) will be defined as a health plan with an annual deductible that is not less than $1,700 for self-only coverage or $3,400 for family coverage, and for which the annual out-of-pocket expenses (deductibles, co-payments, and other amounts, but not premiums) do not exceed $8,500 for self-only coverage or $17,000 for family coverage.
For plan years beginning in 2026, the maximum amount that may be made newly available for the plan year for an excepted benefit HRA under Code § 54.9831-1(c)(3)(viii) is $2,200.

Revenue Procedure 2025-19 will be officially published in the May 19, 2025 Federal Register.

For More Information Or Help

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on 2026 HRA Inflation Adjustments Announced | Cafeteria Plans, Corporate Compliance, Employee Benefits, Employer, Employers, health benefit, Health Benefits, health Care, health plan, Health Plans, HR, HSA, Human Resources | Tagged: Employee Benefits, Employer, Employers, ERISA, Health Care Reform, Health Insurance, Health Plan, Health Plans, HRA, Human Resources, Medical Coverage | Permalink
Posted by Cynthia Marcotte Stamer

Options For Multiemployer Defined Benefit Plans Filing of Digital Form 15315, Annual Certification

April 30, 2025

The Internal Revenue Service (“IRS”) is now accepting Form 15315 certifications by mail, fax or email.

The IRS Employee Plans Group recently discovered a glitch on its Mobile Friendly Forms webpage impacting the digitalized Form 15315 multiemployer defined benefit plan administrators should use to electronically report the actuarial certification of a multiemployer defined benefit plan’s funding status. Due to the glitch, the electronic form won’t allow administrators to enter a date beyond December 31, 2025, or plan numbers beginning with 0; for example, 002.

In response to this glitch, the IRS now allows filing electronically, by mail or by fax.

Mail the form to:

Department of the Treasury

Employee Plans

CHI-7602 – 25^th Floor

230 S. Dearborn Street

Chicago, IL 60604

Fax the form to:

855-215-7122

Email the form to:

EPCU@IRS.gov with Multiemployer Certification in the subject line.

For More Information Or Help

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer works with these and other highly regulated or data and performance reliant businesses to design, risk manage, and defend their employment and other workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Additionally, more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Options For Multiemployer Defined Benefit Plans Filing of Digital Form 15315, Annual Certification | Corporate Compliance, defined benefit plan, Defined Benefit Plans, Employee Benefits, Employer, Employers, IRC, retirement plan, Retirement Plans | Tagged: Employee Benefits, IRS, retirement plan | Permalink
Posted by Cynthia Marcotte Stamer

Stamer Moderates Panel On “Workforce Termination & Severance Around The World” At ABA International Section Meeting May 1

April 29, 2025

Solutions Law Press Publisher and author Cynthia Marcotte Stamer will moderate a program on “Workforce Termination & Severance Around The World” at the American Bar Association (“ABA”) International Law Section 2025 Annual Conference in New York.

Countries’ laws differ for individual and mass employment terminations. During the program, labor and employment lawyers Sandra McCandless, Donald C. Dowling, and Michael Green will examine countries’ laws on termination and severance rights, responsibilities and practices, examine common issues arising when employers terminate in country and ex-patriate workers outside their home countries, and share practical insights and experiences to budget, manage and defend worker separations to minimize legal, operational and liabilities and disruptions in the United States, India, China, Latin America and other regions of the World.

Focusing on the theme Adapting to Today’s International Legal Challenges: A New Era?” the ABA expects more than 600 participants from more than 30 countries around the world to attend the Conference, which runs from from April 28 -May 1, 2025. The Conference will feature a multitude of programs focusing on a wide range of timely international law and policy issues.

Along with the “Workforce Termination & Severance Around The World program that Ms. Stamer is moderating, the International Employment Law Committee Co-Chaired by Ms. Stamer and Nadia Moynihan also is hosting two other programs during the Conference:

Global Outsourcing Strategies: Managing Legal and Operational Risks of Offshore Workers & Services;
AI at Work: Navigating Bias, Diversity, and Legal Boundaries in the Workplace.

Check out the full agenda, registration (including single day rates) and other details of the Conference here.

An management and regulatory affairs attorney Board-Certified in Labor and Employment Law by the Texas Board of Legal Specialization and American College of Employee Benefits Counsel Fellow, Ms. Stamer’s workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership on helping organizations and leaders about manage their internal and external workforce, employee benefits and compensation, regulatory compliance and governmental affairs and other legal and operational practices and risk have earned her recognition as a Fellow in the American College of Employee Benefits Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” and numerous other honors.

For more than 35 years, Ms. Stamer’s work has advised businesses and business leaders about enhancing the effectiveness and defensibility of their operations using employment and other workforce and services management, employee benefits, compensation, performance management, contracting, Federal Sentencing Guideline and other compliance and risk management, investigations, and other legal and operational tools and solutions. While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others with compliance with federal and state equal employment, compensation, health and other employee benefits, workplace safety, leave, employment tax, and other labor and employment, privacy and data security, and other laws: advises and assists management to monitor and reengineer workforce, employee benefits, compensation, safety and other policies and practices in response to regulatory, business, economic, and other developments; advises and defends businesses against labor and employment, employee benefit, wage and hour and other compensation, employment tax, fraud, Federal Sentencing Guideline and other regulatory compliance by the Department of Labor agencies, Department of Justice, Securities and Exchange Commission, Federal Trade Commission, Department of Justice, Office of Federal Contracts and Compliance, and other federal agencies; state Departments of Labor and other federal agencies; state workforce and labor, safety, workers’ compensation and other agencies; and employees, contractors, employee benefit plan participants and vendors, and others.

A former lead consultant to the Government of Bolivia on its social security privatization policy with decades of domestic and international government affairs and public policy experience, Ms. Stamer also has extensive experience providing advice to organizations, Congress and state legislators, federal and state regulators, and others about workforce, education, employee benefits, safety, health, insurance and other public policy concerns.

A prolific author and highly sought out thoughtleader, Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters.

For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly via email.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Stamer Moderates Panel On “Workforce Termination & Severance Around The World” At ABA International Section Meeting May 1 | Corporate Compliance, Discrimination, EEOC, Employee Benefits, Employer, Employers, Employment Termination, Furlough, Health Benefits, Human Resources, I-9, Internal Investigations, international la, international law, Labor Management Relations, Management, Managment, Reduction in Force | Permalink
Posted by Cynthia Marcotte Stamer

Another Large HIPAA Settlement Warns Health Plans & Other HIPAA Entities To Analyze & Manage Their Hacking & Other Data Susceptibilities

April 24, 2025

Conduct an appropriate risk analysis and take the required steps to protect your electronic health records from phishing and other hacking threats by conducting a thorough risk analysis and otherwise cleaning up your Health Insurance Portability and Accountability Act of 1996 compliance! That’s the clear message to the Department of Health and Human Services Office of Civil Rights (“OCR”) warns health plans and insurers, health care providers, health care clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) to learn from the $600,000 HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) settlement with Southern California health care network PIH Health, Inc. (“PIH”) the Department of Health & Human Services Office of Civil Rights (“OCR”) announced on April 23, 2025 and the deluge of other ongoing hacking-related HIPAA investigations OCR still is working to resolve.

Phishing & Other Hacking Events Common Cause of Health Plan Breaches

Hacking incidents present a significant cybersecurity threat to health plans and other Regulated Entities’ electronic health and other data. Phishing and other hacking attacks are among the most common types of large breaches reported to OCR every year. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR.

Phishing and other hacking-related breaches regularly result in OCR’s collection of high-dollar settlements and other costly enforcement actions against health plans and other Regulated Entities. See e.g., HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations (September 11, 2023); Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and UnitedHealthcare Insurance Company (August 24, 2023); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches (October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); nthem pays OCR $16 Million in record HIPAA settlement following largest health data breach in history (October 15, 2018).

The breach and enforcement actions are continuing in 2025. OCR already has announced numerous hacking-related settlements in the first quarter of 2025. See HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Public Hospital (April 17, 2025); HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with Northeast Radiology (April 4, 2025); HHS’ Office for Civil Rights Settles HIPAA Security Rule Investigation with Health Fitness Corporation (March 21, 2025); HHS Office for Civil Rights Imposes a $200,000 Penalty Against Oregon Health & Science University; HHS Office for Civil Rights Imposes a $1,500,000 Civil Money Penalty Against Warby Parker in HIPAA Cybersecurity Hacking Investigation (February 20, 2025); HHS Office for Civil Rights Settles HIPAA Phishing Cybersecurity Investigation with Solara Medical Supplies, LLC for $3,000,000 (January 14, 2025); HHS Office for Civil Rights Settles 9th Ransomware Investigation with Virtual Private Network Solutions (January 7, 2025).

Look for more of these enforcement actions to emerge soon. Between January 1 and April 23, 2025 alone, OCR received 161 hacking-related breach reports from Regulated Entities. OCR’s Breach Portal indicates that on April 23, 2025, OCR had a total of 554 open hacking-related breach investigations, 506 involving health care providers, 47 involving health plans, and one involving a health care clearinghouse.

Health plans and other Regulated Entities will want to take appropriate actions to avoid becoming subject to breaches subjecting them to these investigations and enforcement actions, particularly with OCR Acting Director Anthony Archeval warninghealth plans and other Regulated Entities:

Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]

Duty To Analyze & Manage Hacking & Other Susceptibilities

The HIPAA Privacy, Security, and Breach Notification Rules require Regulated Entities to take specific actions as warranted by their threat susceptibility to protect the privacy and security of electronic protected health information (“ePHI”) from hacking and other improper access, destruction, or disclosure. At the heart of these requirements is the requirement that health plans and other Regulated Entities conduct documented risk analyses of their assessment of the susceptibility information of their ePHI to hacking and other threats. As reflected in the following table of current HIPAA sanctions, violation of these HIPAA requirements exposes a Regulated Entity to significant civil monetary penalties or criminal sanctions.

The HIPAA Security Rule requires a Regulated Entity to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” Meanwhile, the HIPAA Breach Notification Rule requires in 45 CFR § 164.402 that a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. OCR interprets these Rules together also to require Regulated Entities experiencing a breach of ePHI or having evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach as triggering a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. Consequently, OCR constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA in its guidance and educational outreach, as well as by regularly discussing the requirement and role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

Despite OCR’s constant and ever-rising efforts to promote compliance with the Risk Analysis requirements, however, OCR consistently has found deficiencies in Regulated Entities’ Risk Analysis in its breach investigations and audit findings since these rules became effective. As the number and magnitude of reported breaches of ePHI skyrocketing and massive breaches like those experienced in 2024 by UnitedHealthcare subsidiary Change Health, Ascension and others demonstrating the serious consequences ransomware and other cyberattacks can inflict on health care delivery, payment, and patient privacy, OCR is placing new emphasis on tightening both the requirements for Risk Analysis and its enforcement of compliance with the Risk Analysis requirements.

Look for OCR both to continue zealously to enforce the Risk Analysis and other HIPAA Security Rule compliance and to tighten thesed requirements. On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. Prior to its announcement of the PIH settlement, OCR in recent months announced seven Risk Analysis Initiative settlements, including three in April.

Breaches & Other Security Rule Violations Carry Substantial Liability Risks

Tier	Civil Penalties[1]	Criminal Penalties
1	Lack of Knowledge: $141 – $71,162 per violation	Reasonable Cause or No Knowledge of Violation: Up to 1 year imprisonment
2	Reasonable Cause: $1,424 – $71,162 per violation	PHI Obtained Under False Pretenses: Up to 5 years imprisonment
3	Willful Neglect (corrected within 30 days): $14,232 – $71,162 per violation	PHI Obtained for Personal Gain or with Malicious Intent: Up to 10 years imprisonment
4	Willful Neglect (not corrected within 30 days): $71,162 – $2,134,831 per violation

Most Regulated Entities that OCR accused of violating the HIPAA requirements avoid paying the full amount of authorized civil monetary penalties by accepting OCR settlement offers. As the $600,000 PIH and other settlements demonstrate, however, settlement with OCR allows Regulated Entities to avoid much greater potential civil monetary penalties by paying a much smaller, but still generally significant, settlement amount. As significant as these penalties and settlement costs are, they typically reflect only a small portion of the true cost organizations suffer from a breach. With the average financial consequences suffered by organizations that experience a data breach now approaching $5 million, costs of investigation and recovery from a breach and the associated operational and business disruptions experienced inflict a heavy toll even where OCR allows the health plan or other Regulated Entity to resolve its exposures with no financial settlement or penalty.

Breaches & Other Security Rule Violations Create Substantial Liability For Plans & Their Fiduciaries

While health plan breach notifications generally have lagged far behind provider notifications in number, reported health plan breaches generally have resulted the largest civil monetary penalty or resolution payments largely due to the massive number of individuals affected by these breaches. See e.g., HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations (September 11, 2023); Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and UnitedHealthcare Insurance Company (August 24, 2023); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches (October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual (September 23, 2020); Anthem pays OCR $16 Million in record HIPAA settlement following largest health data breach in history (October 15, 2018); Record $16M Anthem HIPAA Settlement Signals Need To Tighten HIPAA Compliance & Risk Management.

PIH Third Hacking Settlement In April

Although OCR’s PIH settlement announcement does not label the settlement as a Risk Analysis Initiative, OCR’s discussion makes clear OCR considered PIH’s failure to fulfill the Risk Analysis requirements a core failure contributing to the breach. The PIH settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020 about a June 2019 phishing attack. The report stated the attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.

OCR’s investigation found multiple potential violations of the HIPAA Rules, including:

Failure to use or disclose protected health information only as permitted or required by the HIPAA Privacy Rule.
Failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by PIH.
Failure to notify affected individuals, the HHS Secretary, and the media of a breach of unsecured protected health information within 60 days of its discovery.

Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that OCR will monitor for two years and pay a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:

Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
Training its workforce members who have access to PHI on its HIPAA policies and procedures.

The findings of deficiencies in PIH’s risk analysis and requirements that PIH conduct an accurate and thorough risk analysis and implement a risk management plan to address and mitigate identified security risks and vulnerabilities are a recurrent theme in OCR breach investigations. OCR’s recent addition of a Risk Analysis Initiative to its compliance and enforcement priorities heightens the significance of OCR’s inclusion of these findings and requirements in the PIH settlement.

Previous Health Plan Enforcement Actions Confirms Health Plan Face Similar HIPAA Exposures

In January 2021, for instance, OCR announced New York health insurer, Excellus Health Plan, Inc., would pay $5.1 million to settle potential HIPAA violations related to a breach affecting over 9.3 million people. The settlement resulted from OCR’s investigation of a September 9, 2015, breach report that cyber-attackers gained unauthorized access to its information technology systems. Excellus Health Plan reported that the breach began on or before December 23, 2013, and ended on May 11, 2015. The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information. The resolution payment is the second largest collected by OCR to date.

In October, 2020, OCR announced a resolution agreement with Aetna Life Insurance Company and affiliated covered entity (Aetna) where Aetna paid a $1 million resolution payment to settle potential HIPAA violations that arose from Aetna’s filing of hacking related breach reports in 2017 and OCR’s September 2021 announcement of a resolution agreement where Premera Blue Cross (PBC) agreed to pay $6.85 million to OCR (the second largest in OCR history) to settle potential HIPAA violations related to a breach affecting over 10.4 million people. This resolution represents the third largest payment to resolve a HIPAA investigation in OCR history.

In each of these and all subsequent breach enforcement announcements and other guidance, OCR also persistently urges health plans and other regulated entities to perform the required documented risk assessments and take the required actions necessary to guard their ePHI from hackers and other susceptibilities.

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

With cyberattacks targeting health care and other Regulated Entities soaring and OCR stepping up its scrutiny of Regulated Entities’ Risk Analysis compliance in audits and enforcement actions, each health care provider and other Regulated Entity should review and tighten its Risk Analysis practices and documentation to reduce its susceptibility to potential breaches and to promote its ability to defend its compliance with the Risk Analysis requirements in the event of a breach investigation or audit.

Fulfill Current Risk Analysis Standards

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities enforce appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to keep Risk Analysis documentation for six years, and to provide Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
Integrate Risk Analysis and risk management into the organization’s business processes.
Ensure that audit controls are in place to record and examine information system activity.
Implement regular reviews of information system activity.
Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
Incorporate lessons learned from incidents into the organization’s overall security management process.
Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Follow Proposed Rules & Enforcement Actions To Mitigate Risks

The proposed rule published by OCR on December 27, 2024, seeks to clarify and expand the original requirements of the Risk Assessment implementation standard based on OCR’s past HIPAA Security and Breach Rule investigation and enforcement experience. Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
- A review of the technology asset inventory and network map;
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
- An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
- A review of the technology asset inventory and network map.

Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:

To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
To implement written procedures for testing and revising written security incident response plans;
To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
To encrypt ePHI at rest and in transit, with limited exceptions;
To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
Use of multi-factor authentication, with limited exceptions;
Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
Network segmentation;
Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool. OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time. This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health care providers and other Regulated Entities should view Risk Analysis as an ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI. Although OCR has not officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Additional Responsibilities & Risks For Health Plan Fiduciaries & Sponsors

Along side the OCR warnings, employment and union sponsored health plans, their sponsors, insurers, business associates and fiduciaries also now face additional pressure to take appropriate steps to security health plan data and timely investigate and report breaches.

prudent steps to secure their health plans’ protected health information and electronic data systems against improper use, access, destruction or disclosure under April, 2021 Employee Benefit Security Administration (“EBSA”) guidance package that for the first time officially recognizes cybersecurity as included in the fiduciary responsibilities of employee benefit plan fiduciaries under the Employee Retirement Income Security Act (“ERISA”) and addition of cybersecurity to its plan audits. As a result, in addition to complying with HIPAA, ERISA-covered health plan fiduciaries and sponsors also should be prepared to demonstrate that plan fiduciaries have taken the steps prudently necessary to guard health and other employee benefit plan data and systems against cybersecurity threats. In light of this guidance health plan fiduciaries and sponsors generally will want to ensure that at minimum, they can demonstrate that the health plan and health plan vendor cybersecurity safeguard meet or exceed the recommendations included in the following guidance materials published by EBSA as part of this cybersecurity announcement and any other steps that are prudent to guard against cybersecurity threats:

Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

In light of this OCR and EBSA guidance, health plan sponsors, fiduciaries and vendors and other HIPAA covered entities and business associates are urged to take documented steps to audit and strengthen as needed their safeguards against hacking and other cybersecurity threats including:

In the case of any health plan or health plan vendor, taking well documented steps to assess and tighten as necessary their health plan systems and data security to meet or exceed the recommendation outlined in the EBSA cybersecurity guidance or otherwise necessary to prudently guard their plans and plan data and systems against cybersecurity threats.
Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards. Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations and the Employee Benefit Security Administration recently has issued guidance recognizing prudent data security practicces as part of the fiduciary obligations of health plans and their fiduciaries.

Appropriate Processes Can Prevent Breaches & Enhance Defensibility

With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:

Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

Although civil monetary penalties or settlements are the most common sanction imposed for HIPAA Security and Breach Notification rule violations, willful and certain other violations of HIPAA can trigger criminal liability subject to the Federal Sentencing Guidelines. Consequently, beyond fulfilling the specific requirements of HIPAA, an adequate Risk Assessment also can be an invaluable tool for helping mitigate Federal Sentencing Guideline exposures of a Regulated Entity and its leaders under the Federal Sentencing Guidelines Organizational Liability rules.

Beyond these specific HIPAA-associated exposures, Regulated Entities and their leaders should keep in mind that HIPAA is likely only one of many laws that define their responsibilities to secure, report, and respond to breaches of ePHI or other sensitive data. Depending on the location, nature and other circumstances, Regulated Entities and their leaders also may have additional responsibilities and liability exposures under a variety of other federal and state laws, ethical or other professional standards, and contractual obligations in addition to those imposed under HIPAA and ERISA. For instance, inadequate data safeguards for ePHI also can trigger liability under the Fair and Accurate Credit Transactions Act, the Federal Trade Commission Act, and various electronic crimes statutes. The Securities and Exchange Commission rules can trigger disclosure and other obligations for publicly traded hospital or other health care providers, insurers, or their business associates. Health care providers, payers and others are likely to face specific additional health care or insurance-specific licensing and ethics rules, as well as other confidential information privacy, cybersecurity and breach reporting obligations and liability under various state statutes and regulations. Regulated Entities and their leaders generally will want to fully evaluate and manage these risks in conjunction with their compliance with the Risk Analysis and other requirements of the HIPAA Security and Breach Notification Rules.

Finally, health plans and other Regulated Entities are reminded that appropriate strategic planning, ongoing diligence in monitoring and responding to security events and susceptibility, and timely and appropriate use of appropriate evidentiary and procedural tools can critically impact the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making. Because HIPAA, EBSA and other rules typically require prompt investigation and response to known or suspected hacking or other cybersecurity threats, health plans and other covered entities or business associates should seek the assistance of experienced legal counsel to advise and assist in these activities to understand the potential availability and proper use of these and other evidentiary rules as part of the compliance planning process as well as to prepare for appropriate use in the event of a known or suspected incident to avoid unintentional compromise of these protections.

The author of this update, Cynthia Marcotte Stamer is nationally known and celebrated for her experience providing advice and representation to health care providers, health insurers, employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, third party administrators, human resources and health plan technology, and other businesses about HIPAA and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information Or Help

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

[1] The civil monetary penalty amounts are adjusted annually for inflation. OCR has not yet published the 2025 inflation adjusted amounts.

Comments Off on Another Large HIPAA Settlement Warns Health Plans & Other HIPAA Entities To Analyze & Manage Their Hacking & Other Data Susceptibilities | Corporate Compliance, Cybercrime, Cybersecurity, Data breach, Employer, Employers, ERISA, FACTA, Fiduciary Responsibility, Health Plans, HIPAA, HIPAA, Reporting & Disclosure | Tagged: Cyber Security, Cybersecurity, healthcare, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans & Other HIPAA-Covered Entities Urged To Strengthen HIPAA Risk Analysis Processes & Documentation In Response To Rising Breach & OCR Enforcement Risks

April 22, 2025

With the financial impact to businesses suffering data breaches in 2024 now averaging nearly $5 million and the announcement by the Department of Health and Human Services Office of Civil Rights (“OCR”) two additional Health Insurance Portability & Accountability Act (“HIPAA”) “Risk Analysis Initiative” settlements in seven days, health plans, health care providers, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) face a growing imperative to act now to promote the defensibility of their practices under the Risk Analysis and other HIPAA Privacy, Security, and Breach Notification Rule requirements. Coupled with OCR’s steady announcement of enforcement actions like those announced this month against NERAD and others under its Risk Analysis Initiative, OCR clearly health plans and other Regulated Entities to clean up and strengthen their Risk Analysis and other HIPAA Security Rule compliance.

HIPAA Risk Analysis Requirement & OCR Risk Analysis Initiative

The need for Regulated Entities to ensure their fulfillment of HIPAA’s Risk Analysis requirements to prevent and mitigate their legal, financial and operational exposures from breaches of electronic protected health information (“ePHI”) and to defend against a potential OCR Risk Analysis enforcement action or audit is demonstrated by OCR’s announcement of HIPAA Security Rule enforcement actions and settlements with Northeast Radiology, P.C. (NERAD) on April 10, 2025, and Guam Memorial Hospital Authority (“GMHA”) on April 17, 2025, the sixth and seventh under OCR’s recently announced HIPAA “Risk Analysis Initiative” .

Risk Analysis Longstanding HIPAA Requirement

The HIPAA Privacy, Security, and Breach Notification Rules Regulated Entities to meet specific standards to protect the privacy and security of protected health information. Since the HIPAA Security Rule first took effect, risk analysis is one of the four required implementation specifications Regulated Entities must meet under the Security Management Process standard in 45 CFR § 164.308.

To fulfill this Risk Analysis requirement, a Regulated Entity must conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.”

Additionally, in 45 CFR § 164.402 the HIPAA Breach Notification Rule requires a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. As consistently interpreted and applied by OCR, experiencing a breach or the existence of evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach triggers a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. As OCR Acting Director Anthony Archeval recently stated to explain OCR’s emphasis on Risk Analysis compliance and enforcement, “Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]” Consequently, OCR has constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA. To promote compliance, OCR persistently has communicated the necessity and importance of the Risk Analysis in guidance and sought to reinforce the consequences of inadequate Risk Analysis by discussing the role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

OCR Raising Risk Analysis Expectations & Enforcement

Despite OCR’s constant and ever-rising efforts to promote compliance with the Risk Analysis requirements, however, OCR consistently has found deficiencies in Regulated Entities’ Risk Analysis in its breach investigations and audit findings since these rules became effective. As the number and magnitude of reported breaches of ePHI skyrocketing and massive breaches like those experienced in 2024 by UnitedHealthcare subsidiary Change Health, Ascension and others demonstrating the serious consequences ransomware and other cyberattacks can inflict on health plan claims and payment, health care delivery, payment, and patient privacy, OCR is placing new emphasis on tightening both the requirements for Risk Analysis and its enforcement of compliance with the Risk Analysis requirements.

On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. With OCR’s announcement of the NERAD and GMHA enforcement actions on April 10 and April 17, respectively bringing to seven the number of Risk Analysis Initiative enforcement settlements in recent months, health care providers and other Regulated Entities should heed the schooling these and other similarly sanctioned organizations as a call to action to ensure their own Risk Analysis and other HIPAA Privacy, Security and Breach Rule compliance.

NERAD Enforcement Risk Analysis Initiative Enforcement Action & Settlement

The first of two Risk Analysis Initiative settlements announced in seven days in April and the sixth enforcement action and settlement specifically labeled as taken under the “Risk Analysis Initiative,” the NERAD enforcement action and settlement announced April 10, 2025 resolves liabilities for violation of the Risk Analysis Rule arising from OCR’s investigation of a breach of ePHI stored on NERAD’s Picture Archiving and Communication System (“PACS”) server for storing, retrieving, managing, and accessing radiology images.

OCR initiated its investigation of NERAD after receiving a NERAD breach report that between April 2019 and January 2020, unauthorized individuals accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.

To avoid potentially much greater HIPAA civil monetary penalties under the terms of the resolution agreement, NERAD paid OCR $350,000 and agreed to implement a corrective action plan that OCR will monitor for two years. Under the corrective action plan, NERAD will take steps to improve its compliance with the HIPAA Security Rule and protect the security of ePHI, including:

Conducting an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its Risk Analysis;
Developing and implementing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
Augmenting its existing HIPAA and security training program to all of its workforce members who have access to PHI.

Guam Memorial Hospital Authority Risk Assessment Initiative & Ransomware Enforcement Action

Seven days after announcing the NERAD Risk Analysis enforcement action and settlement, OCR reaffirmed its commitment to enforcement of the Risk Analysis enforcement when it announced its first HIPAA settlement under the new Trump Administration with GMHA, a public hospital on the U.S. Territory, island of Guam, on April 17, 2025.

The seventh Risk Analysis Initiative enforcement action and eleventh ransomware enforcement action announced by OCR, the GMHA settlement arose from OCR’s investigation of two complaints alleging that GMHA impermissibly allowed the disclosure of ePHI of GMHA patients. OCR originally initiated its investigation in response to a January 2019 complaint alleging that GMHA experienced a ransomware attack affecting the ePHI of approximately 5,000 individuals. During the investigation, OCR received another complaint in March 2023 alleging that hackers accessed patient records. OCR’s investigation determined that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI held by GMHA.

Under the terms of the resolution agreement, GMHA paid OCR $25,000 and agreed to implement a corrective action plan that OCR will monitor for three years. In the corrective action plan, GMHA must take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules;
Augment its existing HIPAA and security training program so all workforce members with access to PHI understand the HIPAA requirements and GMHA’s HIPAA policies and procedures;
Enhance workforce security and information access management by reviewing all access credentials that have been granted access to ePHI; and
Conduct breach risk assessments and provide evidence to OCR that all breach notification obligations have been conducted.

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance

With cyberattacks targeting health plan and other Regulated Entities soaring and OCR stepping up its scrutiny of Regulated Entities’ Risk Analysis compliance in audits and enforcement actions, each health plan and insurer and other Regulated Entity should review and tighten its Risk Analysis practices and documentation to reduce its susceptibility to potential breaches and to promote its ability to defend its compliance with the Risk Analysis requirements in the event of a breach investigation or audit.

Fulfill Current Risk Analysis Standards

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
Integrate Risk Analysis and risk management into the organization’s business processes.
Ensure that audit controls are in place to record and examine information system activity.
Implement regular reviews of information system activity.
Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
Incorporate lessons learned from incidents into the organization’s overall security management process.
Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Use Proposed Rules & Enforcement Actions For Additional Guidance To Mitigate Risks

Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
- A review of the technology asset inventory and network map;
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
- An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
- A review of the technology asset inventory and network map.

To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
To implement written procedures for testing and revising written security incident response plans;
To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
To encrypt ePHI at rest and in transit, with limited exceptions;
To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
Use of multi-factor authentication, with limited exceptions;
Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
Network segmentation;
Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health plans and other Regulated Entities should view Risk Analysis as a ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI. Although OCR has not yet officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Suggested Process For Updating & Strengthening Risk Analysis

Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

Beyond these specific HIPAA-associated exposures, Regulated Entities and their leaders should keep in mind that HIPAA is likely only one of many laws that define their responsibilities to secure, report, and respond to breaches of ePHI or other sensitive data. Depending on the location, nature and other circumstances, Regulated Entities and their leaders also may have additional responsibilities and liability exposures under a variety of other federal and state laws, ethical or other professional standards, and contractual obligations. For instance, health plan fiduciaries may risk fiduciary liability under the Employee Retirement Income Security Act of 1974 for failing to prudently secure and protect participate and other health plan data from improper access, use or disclosure. Inadequate data safeguards for ePHI also can trigger liability for brokers, consultants, insurers and others under the Fair and Accurate Credit Transactions Act, the Federal Trade Commission Act, and various electronic crimes statutes. The Securities and Exchange Commission rules can trigger disclosure and other obligations for publicly traded employers and insurers. Regulated Entities and their leaders generally will want to fully evaluate and manage these risks in conjunction with their compliance with the Risk Analysis and other requirements of the HIPAA Security and Breach Notification Rules.

The author of this update, Cynthia Marcotte Stamer is nationally known and celebrated for her experience providing advice and representation to employers, employer and other health plan sponsors, health plans, health plan fiduciaries and administrators, third party administrators, health care and life sciences organizations, human resources and health plan technology, and other businesses about HIPAA and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Additionally,more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Health Plans & Other HIPAA-Covered Entities Urged To Strengthen HIPAA Risk Analysis Processes & Documentation In Response To Rising Breach & OCR Enforcement Risks | Corporate Compliance | Tagged: AI, Cyber Security, Cybercrime, Cybersecurity, HIPAA, risk-assessment, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

Trump Executive Order Calls For PBM ERISA Fee Disclosure Rules and Other Prescription Drug Reforms

April 17, 2025

Creating greater transparency of the compensation of prescription benefit management (“PBM”) arrangements used in group health plans covered by the Employee Retirement Income Security Act of 1974 (“ERISA”) is one of many new policy directives President Trump directs federal agencies to pursue to promote lower cost access to prescription drugs under his Executive Order on Lowering Drug Prices By Once Again Putting Americans First (the “Executive Order”) signed April 15, 2025. Employer and union-sponsored health plans, their sponsors, fiduciaries and service providers should carefully track and provide appropriate input to the Department of Labor and other federal agencies charged with implementing the new ERISA transparency requirement and other policy changes directed in the Executive Order.

ERISA PMB Transparency Requirements

To improve the transparency of compensation received by PBMs working with ERISA-covered group health plnas, the Executive Order directs the Department of Labor (“DOL”) to propose regulations to make the fee disclosure requirements of ERISA section 408(b)(2)(B) applicable to PBMs by October 12, 2025.

The Executive Order’s directive to the DOL contemplates that DOL will revise its existing regulations under Section 408(b)(2) to prohibit group health plan fiduciaries from allowing PBMs to directly or indirectly receive compensation for their PBM services unless the PBM discloses its compensation from the arrangement in accordace with the fee disclosure requirements that the Executive Order contemplates DOL will add to ERISA section 408(b)(2).

While DOL regulations have required since 2012 that pension plan service providers to disclose direct or indirect compensation under arrangements with ERISA-covered pension plans in order for the service provider compensation to be allowed “reasonable compensation” under ERISA section 408(b)(2), the fee disclosure requirement currently does not apply to PBMs or other service providers to group health plans or other welfare benefit plan arrangements.

Across the intervening years, concern that the lack of transparency and disclosure allows PBMs to receive excessive compensation and engage in conflicts of interest has led employee benefit industry watchdogs, employer and other plan sponsors, plan members, health care providers and others increasingly to urge the DOL to impose fee disclosure requirements on PBMs and other health and welfare benefit plan service providers. The Executive Order yields to these demands by calling upon the DOL to deem a group health plan’s compensation arrangements with PBMs reasonable only where PBMs disclose direct and indirect compensation, including compensation paid among related parties such as subcontractors, in a manner consistent with current Section 408(b )(2) Regulations.

Other Prescription Drug Reforms

The Executive Order also includes numerous other reform directives beyond calling for DOL to make PBMs subject to ERISA’s fee disclosure rules. These included several directives to HHS and certain other agencies that President Trump intends to lower the cost of prescription drugs within and outside the Medicare program.

Medicare & Other Drug Pricing and Coverage Related Prescription Drug Reforms

Many of the policy directives in the Executive Order seek to reform Medicare and other prescription drug cost and coverage.

By April 15, 2026, for instance, the Executive Order directs HHS to develop a better payment model to improve the ability of the Medicare program to obtain better value for high-cost prescription drugs and biological products covered by Medicare, including those not subject to the Medicare Drug Price Negotiation Program.

In addition, the Executive Order:

Directs HHS to work with the Congress to modify the Medicare Drug Price Negotiation Program to align the treatment of small molecule prescription drugs with that of biological products so as to end the distortion that undermines relative investment in small molecule prescription drugs, coupled with other reforms to prevent any increase in overall costs to Medicare and its beneficiaries;
By June 14, 2025,
- Requires HHS to propose changes to the Medicare Drug Price Negotiation Program regulations for the initial price applicability year 2028 and manufacturer implementation of maximum fair price under such program in 2026, 2027, and 2028 to improve the transparency of the Medicare Drug Price Negotiation Program, prioritize the selection of prescription drugs with high costs to the Medicare program, and minimize any negative impacts of the maximum fair price on pharmaceutical innovation within the United States; andRequires HHS to require health centers receiving Public Health Service Act Section 330(e) grants to establish practices to make insulin and injectable epinephrine available at or below the discounted price paid by the health center grantee or sub-grantee under the 340B Prescription Drug Program (plus a minimal administration fee) to low income individuals who have a high cost-sharing requirement for either insulin or injectable epinephrine; have a high unmet deductible; or have no healthcare insurance.Requires the Assistant to the President for Domestic Policy (“APDP”) in coordination with the Secretary, the Director of the Office of Management and Budget (“OMB Director”), and the Assistant to the President for Economic Policy (“APECP”), to provide recommendations to the President on how best to stabilize and reduce Medicare Part D premiums;Requires the HHS Secretary to publish a plan to conduct a survey under the Site-of-Service Price Transparency rules of Social Security Act Section 1833(t)(14)(D)(ii) to determine the hospital acquisition cost for covered outpatient drugs at hospital outpatient departments and propose appropriate adjustments to align Medicare payment with the cost of acquisition, consistent with the budget neutrality requirements; and
- Requires HHS to evaluate and propose regulations to ensure that payment within the Medicare program is not encouraging a shift in drug administration volume away from less costly physician office settings to more expensive hospital outpatient departments.

Other Prescription Drug Reforms

In addition to these predominantly Medicare-focused programs, the Executive Order also orders federal agencies to

Requires the Secretary of Labor to propose regulations pursuant to section 408(b)(2)(B) of the Employee Retirement Income Security Act of 1974 to improve employer health plan fiduciary transparency into the direct and indirect compensation received by pharmacy benefit managers by October 12, 2025;
Requires the APDP, in coordination with the HHS Secretary, the OMB Director, and the APECP, to provide recommendations to the President on how best to promote a more competitive, efficient, transparent, and resilient pharmaceutical value chain that delivers lower drug prices for Americans by June 14, 2025;
Requires the Food and Drug Administration to streamline and improve the Importation Program under the Federal Food, Drug, and Cosmetic Act to make it easier for States to obtain approval without sacrificing safety or quality;
Requires the OMB Director, the APDP, and the Assistant to the President for Economic Policy )”APECP, and HHS Secretary to provide joint recommendations on how best to ensure that manufacturers pay accurate Medicaid drug rebates consistent with section 1927 of the Social Security Act, promote innovation in Medicaid drug payment methodologies, link payments for drugs to the value obtained, and support States in managing drug spending;
Requires the HHS Secretary, through the Commissioner of Food and Drugs, to issue a report providing administrative and legislative recommendations to accelerate approval of generics, biosimilars, combination products, and second-in-class brand name medications; and improve the process through which prescription drugs can be reclassified as over-the-counter medications, including recommendations to optimally identify prescription drugs that can be safely provided to patients over the counter;
Requires HHS, the Department of Justice, the Department of Commerce, and the Federal Trade Commission to conduct listening sessions and issue a report with recommendations to reduce anti-competitive behavior from pharmaceutical manufacturers.

Health plans, their sponsoring employers or unions, fiduciaries, PBM and other service providers, brokers, insurers, auditors, and others involved in the design or oversight of PBM and other group health plan arrangements should monitor closely the DOL and other agency responses to the Executive Order to anticipate and prepare for required changes, as well as to be prepared to identify and timely provide input about proposed rules or other actions to DOL or the otherwise applicable regulatory agency before finalized.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, with decades of experience advising employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, PBMs, health and other insurers, third party administrators, managed care organizations, health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Trump Executive Order Calls For PBM ERISA Fee Disclosure Rules and Other Prescription Drug Reforms | Corporate Compliance | Tagged: drug-costs, Drugs, ERISA, Executive Order, Fiduciary Responsibility, Health, Health Insurance, healthcare, healthcare-transparency, Insurance, news, pbm, prescription-drug | Permalink
Posted by Cynthia Marcotte Stamer

6th Risk Analysis Settlement & Other OCR Actions Warn Health Plans & Other HIPAA-Regulated Entities To Tighten Risk Analysis

April 14, 2025

The $350,000 paid by Northeast Radiology, P.C. (“NERAD”) provides the latest warning to health plans, health care providers, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) they risk costly fines and other costs for failing to maintain the up-to-date risk assessments required by the Health Insurance Portability & Accountability Act (“HIPAA”).

Following up on the five other previous Risk Analysis Initiative enforcement actions and settlements recently announced by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) and OCR’s publication of proposed rules to significantly tighten HIPAA’s Risk Analysis and other requirements, the settlement with medical imaging center NERAD sends a strong warning to health plans and other Regulated Entities to clean up and strengthen their Risk Analysis and other HIPAA Security Rule compliance.

$350,000 NERAD Risk Analysis Settlement Latest Product Of New Enforcement Initiative

The sixth Risk Analysis Initiative enforcement action announced by OCR in recent months, the NERAD settlement resolves an OCR Risk Analysis Initiative enforcement action arising from OCR’s investigation of a breach of ePHI stored on NERAD’s Picture Archiving and Communication System (“PACS”) server for storing, retrieving, managing, and accessing radiology images.

OCR initiated its investigation of NERAD after receiving a NERAD breach report about a breach of unsecured ePHI in March 2020. NERAD reported that between April 2019 and January 2020, unauthorized individuals accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.

Conducting an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its Risk Analysis;
Developing and implementing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
Augmenting its existing HIPAA and security training program to all of its workforce members who have access to PHI.

OCR Turns Up Heat On HIPAA Risk Analysis Requirements & Enforcement

The HIPAA Privacy, Security, and Breach Notification Rules set forth the requirements that Regulated Entities must follow to protect the privacy and security of protected health information. Since the HIPAA Security Rule first took effect, risk analysis is one of the four required implementation specifications the Security Rule requires to fulfill its Security Management Process Standard’s requirement that regulated entities “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.”

Written Risk Analysis Longstanding Requirement

Although OCR only recently formally adopted a Risk Analysis Initiative, OCR’s regulatory guidance and enforcement actions have communicated clearly the necessity for each Regulated Entity to possess and maintain an adequate documented Risk Analysis. OCR guidance since has required Regulated Entities to conduct and document the required Risk Analysis to safeguard ePHI and avoid liability under the HIPAA Rule. The importance of fulfillment of the Risk Analysis requirement is driven home by OCR’s recent identification of Risk Analysis inadequacies as a basis for its assessment of civil monetary penalties or required resolution payments to settle HIPAA Security Rule violations following a breach of ePHI.

While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI. Although OCR has not adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility.

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities maintain appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to maintain their Risk Analysis documentation for six years, and to make available Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
Integrate Risk Analysis and risk management into the organization’s business processes.
Ensure that audit controls are in place to record and examine information system activity.
Implement regular reviews of information system activity.
Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
Incorporate lessons learned from incidents into the organization’s overall security management process.
Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

OCR Heightens Risk Analysis Enforcement While Proposing Heightened Risk Analysis And Other Security Requirements

The proposed rule published by OCR on December 27, 2024 seeks to significantly broaden these original requirements of the Risk Assessment implementation standard. Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
- A review of the technology asset inventory and network map;
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
- An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
- A review of the technology asset inventory and network map.

To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
To implement written procedures for testing and revising written security incident response plans;
To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
To encrypt ePHI at rest and in transit, with limited exceptions;
To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
Use of multi-factor authentication, with limited exceptions;
Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
Network segmentation;
Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

Recommended Actions For Health Plans & Other HIPAA-Regulated Entities

Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, nationally known and celebrated for her experience providing advice and representation on HIPAA and other risk management and compliance to employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, health care and other managed care providers and organizations, human resources and health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on 6th Risk Analysis Settlement & Other OCR Actions Warn Health Plans & Other HIPAA-Regulated Entities To Tighten Risk Analysis | Association Health Plan, Attorney-Client Privilege, church plan, Civil Monetary Penalties, compliance, Corporate Compliance, Cybercrime, Cybersecurity, Data Breach, Data Security, Employee Benefits, Employers, ERISA, GINA, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, HIPAA, HIPAA, Identity Theft, Managed Care | Tagged: business, Cyber Security, Cybersecurity, Security, Technology | Permalink
Posted by Cynthia Marcotte Stamer

I-9 & E-Verify Updates Announced

April 9, 2025

Employers should take note of recent changes made by the Citizenship and Immigration Services to the Form I-9, Employment Eligibility Verification and the Department of Homeland Security (“DHS”) Privacy Notice. While the updates don’t require employers to adopt the new I-9 Form until other current forms expire or are revoked, employers should know the changes to ease the administration of their I-9 requirements.

Form I-9

The revised Form I-9 with edition date 01/20/25 and expiration date 05/31/2027 includes minor changes to Form I-9 to align with statutory language.

Key updates include:

Renaming the fourth checkbox in Section 1 to “An alien authorized to work”

Revising the descriptions of two List B documents in the Lists of Acceptable Documents

Adding appropriate statutory language and a revised DHS Privacy Notice to the instructions.

While the revised Form I-9 with an edition date 01/20/25 is now available for download, multiple previous editions remain valid until their respective expiration dates:

Form I-9 (08/01/23 edition) that is valid until 05/31/2027

Form I-9 (08/01/23 edition) that is valid until 07/31/2026 (Employers using this form must update their electronic systems with the 05/31/2027 expiration date by July 31, 2026.)

E-Verify

Also, starting April 3, 2025, E-Verify and E-Verify+ will have updated the Citizenship Status selection during case creation to reflect this statutory language. The selection “A noncitizen authorized to work” will be updated to “An alien authorized to work.”

Employers should note:

If an employee attests on Form I-9 as “A noncitizen authorized to work,” the employer must select “An alien authorized to work” in E-Verify.

E-Verify cases will display “An alien authorized to work,” while employees and employers may continue to see “A noncitizen authorized to work” on Form I-9, depending on the form edition being used.

E-Verify+ participants will see the updated 01/20/25 edition date and 05/31/2027 expiration date reflected in Form I-9NG.

Additionally, E-Verify users creating cases through Web Services applications will see the employee status attestation automatically updated to “An alien authorized to work”—even if the WS application submits “A noncitizen authorized to work” if the employee selected citizenship status number four on Form I-9.

This change does not affect the current Interface Control Agreement (ICA) version 31.1, which already provides the necessary guidance for Web Services developers. WS developers should update their platforms to transmit “An alien authorized to work” instead of “A noncitizen authorized to work” as soon as possible.

The author of this update, Cynthia Marcotte Stamer is an attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, with decades of experience advising employers and others about I-9 and other workforce, employee benefits, compensation, performance management, reengineering and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on I-9 & E-Verify Updates Announced | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Brokerage President & Marketing Company CEO Indicted In $161M ACA Enrollment Fraud Scheme

March 17, 2025

Mansfield, Texas resident Steven Strong and Florida resident Cory Lloyd face up to 20 year prison sentences if convicted on federal criminal health care fraud charges for their alleged participation in a scheme to submit fraudulent enrollments to fully subsidized Patient Protection & Affordable Care Act insurance plans (“ACA plans”).

ACA plans offer eligible enrollees tax credit subsidies paid by the federal government directly to insurance plans in the form of a payment toward the applicable monthly premium.

According to court documents, Lloyd and Strong conspired to enroll consumers in ACA plans that were fully subsidized by the federal government by submitting false and fraudulent applications for individuals whose income did not meet the minimum requirements to be eligible for the subsidies.

President of a health insurance brokerage, Lloyd allegedly received commission and other payments from an insurance company in exchange for enrolling consumers in the ACA plans.

In turn, Lloyd allegedly paid commissions to marketing company chief executive officer Strong in exchange for consumer referrals.

As alleged in the indictment, Lloyd and Strong targeted vulnerable, low-income individuals experiencing homelessness, unemployment, and mental health and substance abuse disorders, and, through “street marketers” working on their behalf, sometimes offered bribes to induce those individuals to enroll in subsidized ACA plans. Marketers working for Strong’s company allegedly coached consumers on how to respond to application questions to maximize the subsidy amount and provided addresses and social security numbers that did not match the consumers purportedly applying.

As a result of being enrolled in subsidized ACA plans for which they did not qualify, some of these consumers experienced disruptions in their medical care.

The indictment alleges that Lloyd and Strong used misleading sales scripts and other deceptive sales techniques to convince consumers to state that they would attempt to earn the minimum income necessary to qualify for a subsidized ACA plan, even when the consumer initially projected having no income.

Lloyd and Strong also allegedly conspired to bypass the federal government’s attempts to verify income and other information.

Lloyd and Strong allegedly engaged in the scheme to maximize the commission payments they received from insurers, resulting in their companies’ receiving millions of dollars in commissions.

As alleged in the indictment, Lloyd and Strong’s scheme caused the federal government to pay at least $161,900,000 in subsidies.

Cory Lloyd and Steven Strong are each charged with conspiracy to commit wire fraud, three counts of wire fraud, conspiracy to defraud the United States, and two counts of money laundering. If convicted, each faces a maximum penalty of 20 years in prison on each count of conspiracy to commit wire fraud and wire fraud, five years in prison for conspiracy to defraud the United States, and 10 years in prison for each count of money laundering.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, with decades of experience advising employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, managed care organizations, health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

About the Author

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

About Solutions Law Press™

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Comments Off on Brokerage President & Marketing Company CEO Indicted In $161M ACA Enrollment Fraud Scheme | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer