HHS Grants Limited Southern California Fire Limited Disaster Relief

January 10, 2025

Health plans and insurers, health care providers and other Southern California organizations impacted by the California fires may qualify for temporary waivers or modification of certain Department of Health and Human Services (“HHS”) regulatory requirements under the Declarations of a Public Health Emergency (“PHE”) published by HHS today.

The relief provided by the PHE includes:

An extensive list of resources and guidance to help health plans, health care providers and others to understand and cope with HHS requirements in disaster or other emergency situations such as:

Health plans and other regulated entities impacted by the fire or other disasters should carefully review this guidance to understand the scope and availability of the current relief. Additionally, health plans, health care providers, business associates and other HHS-regulated entities and providers not currently impacted by today’s or another public health emergency declaration should use this guidance to plan and adopt policies and arrangements in advance of a disaster to provide for their continued ability to fulfill HHS regulatory obligations in the event of an emergency.

Health plans and other HHS-regulated entities should keep in mind the limited duration and scope of the relief provided by this PHE or any other HHS public health emergency declaration. Entities planning to rely on the PHE relief must review the scope, conditions and duration requirements and ensure their ability to defend their continued compliance taking into account these limited waivers and modifications.

Also the PHE guidance documents are not a final agency action, do not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department’s discretion. Noncompliance with any voluntary standards (e.g., recommended practices) contained in these documents will not, in itself, result in any enforcement action.

Furthermore, health plans and other HHS regulated entities typically face a myriad of responsibilities beyond those imposed by the HHS. Health plans and other regulated entities should check other agencies disaster declaration webpages to determine whether the agency has issued any specific relief impacting their emergency in response to the broader disaster declaration issued by the Administration. Except to the extent covered by other declared disaster relief, coverage by or compliance with the HHS PHE guidance and policies does not insulate the health plan from potential liability for violating the requirements of the Employee Retirement Income Security Act or other laws creating responsibilities to plan members, providers, the Employee Benefit Security Administration or other agencies or parties other than HHS with respect to the HHS regulatory obligations for which the specific relief is provided in the PHE declaration. Accordingly, health plans, their fiduciaries, plan sponsors and service providers are urged to take necessary steps before, during and after any disaster to position themselves to demonstrate fulfillment of duties of prudence and other applicable responsibilities.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers, health plans and insurers, third party administrators, managed care and other health care payers and providers, technology, and other businesses about crisis preparedness and response and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications including leading-edge work on crisis preparedness, response and recovery.

Author of many highly regarded compliance and risk management tools, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on HHS Grants Limited Southern California Fire Limited Disaster Relief | Corporate Compliance, Employer, Employers, health benefit, Health Benefits, health Care, Health Care Fraud, health insurance, health insurance marketplace, Health Plans, HIPAA, HR, Human Resources | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

2025 Surprise Billing Fees Unchanged But Clear Cache Weekly To Stay Updated

December 27, 2024

2025 surprise billing independent dispute resolution fees applicable to health plans, health insurers and health care providers will remain are holding steady.

On December 27, 2024, the Department of Health and Human Services (“HHS”), the Department of Labor (“DOL”), and the Department of the Treasury (collectively, the “Departments”) updated the No Surprises Act (NSA) website to reflect updated certified IDR entity fees in accordance with the Federal Independent Dispute Resolution (IDR) Process Administrative Fee and Certified IDR Entity Fee Ranges Final Rule (IDR Fees Final Rule).

The IDR Fees Final Rule, effective as of January 22, 2024, set forth the 2024 IDR entity fee ranges. The Departments announced these fees will remain unchanged for 2025.

The 2025 IDR entity fees now published on the NSA website are effective for disputes initiated on or after January 1, 2025. For these disputes, the administrative fee amount is $115 per party per dispute, and the certified IDR entity fee ranges are $200-$840 for single determinations and $268-$1,173 for batched determinations. The website now includes information on the fee set by each certified IDR entity within these ranges.

Along with confirming the 2025 fees, the Departments caution plans and providers to monitor the website for updates to the IDR web form to accommodate guidance-related and system enhancements. The Departments ask plans and providers who have initiated an IDR dispute previously, to clear their computer’s cache or open the IDR initiation web form in a private or incognito window at least once a week to see all the new features. The Departments warn to clear the cache or open this form in private/incognito mode could result in additional follow-up with certified IDR entities or system errors.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health plans and insurers, third party administrators, managed care and other health care payers and providers with surprise billing and other claims, payment and other design, administration, regulatory and other enforcement, dispute resolution, compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with businesses domestically and internationally on employment, benefits, Federal Sentencing Guidelines and other workforce management, regulatory and public policy and other legal and operational concerns.  

Author of many highly regarded compliance, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on 2025 Surprise Billing Fees Unchanged But Clear Cache Weekly To Stay Updated | Claims, Claims Administration, compliance, Consumer Protection, Direct Primary Care, Employee Benefits, Employer, Employers, ERISA, Fiduciary Responsibility, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, health insurance, health insurance marketplace, health plan, Health Plans, Human Resources, Managed Care, Surprise Billing, Tax, Technology | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

$2.7 Million FCA Cyber Liability Settlement Shows New Tool In Government’s Strategy To Fight Cyber Insecurity By Holding Businesses & Leaders Accountable

May 4, 2024

The $2.7 million settlement government contractor Insight Global LLC, (“Insight”) is paying to settle a Justice Department (“DOJ”) False Claims Act civil suit for lax cybersecurity shows government contractors now must add possible False Claims Act prosecution to the already substantial and ever-widening potential consequences all organizations and leaders when their organizations experience a cyber incident.

Supplementing the strength and reach of existing cybersecurity laws by using the False Claims Act, federal securities, employee benefit fiduciary responsibility. and other laws as tools to pressure organizations and their leaders to strengthen their cybersecurity compliance and defenses is a key component of the National Cybersecurity Strategy the Administration announced in March, 2023 to battling the ongoing pandemic of cyber incidents. As National Cybersecurity Strategy states, “Continued disruptions of critical infrastructure and thefts of personal data make clear that market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience. … We must hold the stewards of our data accountable for the protection of personal data; drive the development of more secure connected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.

The National Cyber Security Strategy goes on to warn, “We will use Federal purchasing power and grant-making to incentivize security.”

With holding businesses and their leaders accountable a key component of the Federal government’s National Cybersecurity Strategy, government contractors specifically and all businesses and their leaders generally should heed the use of the DOJ’s use of the False Claims Act as another tool in its expanding arsenal for holding businesses experiencing cyber breaches accountable as proof of their own growing imperative to manage their own cyber security and liability in response to exploding strains of cyber threats and liabilities.

Government Contractor False Claims Act Cyber Risk

DOJ’s adoption of the False Claims Act as a tool for imposing liability against government contractors experiencing a cyber breach is part of a broader effort to persuade organizations and their leaders to tighten their cyber security defenses and responses by ratcheting up the liability and other consequences organizations and their leaders face when their organizations experience a cyber incident. The False Claims Act imposes treble damages and penalties on those who knowingly and falsely claim money from the United States or knowingly fail to pay money owed to the United States.

A Civil Cyber-Fraud Initiative announced by DOJ on October 6, 2021 adds potential False Claims Act civil lawsuits by DOJ or private whistleblowers to the already significant and expanding consequences government contractors and grant holders can face for failing to fulfill requirements to properly secure protected health information or other sensitive data as required in their government contracts.

According to DOJ’s May 1, 2024 announcement, Insight will pay $2.7 million to resolve DOJ False Claims Act charges for failing to have adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing under the new of the Settlement shows DOJ is following through on its promise.

$2.7 Million Insight FCA Cyber Settlement

The $2.7 million Settlement settles a whistleblower lawsuit, United States ex rel. Seilkop v. Insight Global LLC, No. 1:21-cv-1335 (M.D. Pa.). Filed under the whistleblower provisions of the False Claims Act that permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds and to receive a share of any recovery, DOJ intervened in the suit. Whistleblower, Terralyn Williams Seilkop, a former Insight Global staff member who worked on the contact tracing at issue, will receive a $499,500 share of the $2.7 million settlement amount.

The lawsuit alleged the Pennsylvania Department of Health hired Insight to provide staffing for COVID-19 contact tracing and paid Insight using federal funds from the U.S. Centers for Disease Control and Prevention. Although keeping personal health information of contact tracing subjects confidential and secure was part on its contractual duties, Insight failed to secure the protected health information. Instead, DOJ claimed, for example, Insight transmitted certain personal health information and/or personally identifiable information of contact tracing subjects in the body of unencrypted emails, stored and transmitted the information using Google files not password protected, making them potentially accessible to the public via internet links and allowed staff to use shared passwords to access that information.

DOJ additionally alleged that from November 2020 through January 2021, Insight managers received complaints from Insight staff that protected health information was unsecure and potentially accessible to the public, but failed to start remediating the issue until April 2021 after deficiencies came to light.

When Insight eventually began remediating these cybersecurity breaches and deficiencies in 2021, the announcement states Insight cooperated with the DOJ investigation of the cause and scope of the incident. It also took steps to remedy cybersecurity deficiencies by strengthening internal controls and procedures, adding more data-security resources and issuing a public notice regarding the scope of the potential exposure and offering free credit monitoring and identity protection services to those affected. FOJ also reports Insight also cooperated with the United States’ investigation.

DOJ’s Insight settlement announcement warns other government contractors of DOJ’s “continuing commitment to ensure that government contractors fulfill their cybersecurity obligations.” Its announcement quotes Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division as stating, “The Justice Department will hold accountable those contractors who knowingly fail to satisfy cybersecurity requirements.”

Meanwhile, Special Agent in Charge Maureen R. Dixon of the Department of Health and Human Services Office of Inspector General (HHS-OIG) is quoted as stating “Contractors for the government who do not follow procedures to safeguard individuals’ personal health information will be held accountable.”

Cyber Risk Implications For Government Contractor & Other Organizations

Potential False Claims Act liability under the DOJ False Claims Act Civil Cyber-Fraud Initiative add additional liability risks for government contractors to already substantial and growing federal and state regulatory, contractual, and civil and criminal liabilities and other consequences that cyber breaches and other cybersecurity weaknesses create for business and other organizations, their health plans and their leaders. Examples of these other exposures that lax privacy, data security, data breach and other cybersecurity practice may create include:

  • Business operating losses from resulting operational disruptions and damages to customer, business partner, shareholder and public trust;
  • Federal Sentencing Guidelines organizational criminal liability arising from violations of electronic crime and other federal criminal data privacy and security laws;
  • Federal Trade Commission Act and state unfair business practices liability for deceiving customers about privacy practices;
  • Security and Exchange Commission (“SEC”) criminal and civil actions and shareholder lawsuits under the Security and Exchange Act;
  • Health Insurance Portability & Accountability Act civil monetary penalty and criminal exposures for health plans, health care providers, health care clearinghouses and their business associates;
  • Employee Benefit Security Act fiduciary liability for health fiduciaries;
  • Liability for violation of Fair and Accurate Transaction Act, Internal Revenue Code, or other federal privacy or confidentiality laws;
  • damages and other penalties and judgments arising under state identity theft, data security, privacy and other state statutory, contractual and tort laws; and
  • More.

These and other constantly emerging exposures show the imperative for government contractors and all other organizations and their leaders to ensure their organizations take adequate, well-documented efforts to protect their systems and data and fulfill all otherwise applicable cybersecurity rules.

With new cyber attacks and strains of cyber liability, emerging constantly, organizations, and their leaders increasingly must change the way they think about and address their own cyber security and other technology, budgets and management. The escalation of cyber incidents and risks necessitates that organizations and their leaders to treat cybersecurity as critical components of their operational and business plans and priorities.

Amid the pandemic of constantly evolving cyber threats, even the most diligent efforts to secure systems and data cannot guarantee the prevention of a breach or other cyber incident. Given this challenge, organizations and their leaders must focus both on taking meaningful steps to adequately secure their systems and data against a cyber breach or incident as well as position their organizations and leaders to defend their actions and mitigate exposures through appropriate strategic planning, documented oversight and risk assessment, monitoring and response of threats and safeguards; preparation and timely response to cyber events using attorney-client privilege and other evidentiary tools to promote the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making.

As the availability of funding can radically impact the effectiveness of these and other risk mitigation efforts when a cyber incident occurs, these preparations also should incorporate insurance and other arrangements to provide for breach investigation funding and response.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters,  contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations,regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for government contractors and other public and private businesses; managed care and other health and life science, insurance, technology, and other performance and data dependent organizations,

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on $2.7 Million FCA Cyber Liability Settlement Shows New Tool In Government’s Strategy To Fight Cyber Insecurity By Holding Businesses & Leaders Accountable | Antitrust, Attorney-Client Privilege, Banking, board of directors, Brokers, Civil Monetary Penalties, Claims, compliance, Corporate Compliance, corporate governance, Cybercrime, Cybersecurity, Data Breach, Data Security, Department of Defense, DFAR, Disaster, Educational Privacy, Emergency, Employee Benefits, Employer, Employers, Employment, Employment Policies, enforcement, ERISA, false claims act, FTC, Government Accountability, Government Contractors, government employer, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, health plan, Health Plans, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Managed Care, OFCCP, Personal Health Records, Personal Health Recordss, Physician, Plan Admistrator, Protected Health Information, Provider, self insured health plan, Technology, third party administrators, tpa, Whistleblower | Tagged: , , , , , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Medical Clinic Co-Founder Sentencing & New Charges Filed Against Substance Abuse Clinic Operator Highlight Threat Health Plans Face From Health Plan Fraud Scammers

March 3, 2023

The U.S. District Court for the Western District of Kentucky ordered the co-founder of a that Yesdel Acosta Perez to time served of 14 months in prison and to pay $258,507 in restitution for his role in causing health care clinics he cofounded to bill 15 self-funded health plans for $4.7 million in medical services never provided. The conviction reminds health plans, health care providers and others that fraudulently billing self-insured or other private health plans can result in criminal conviction punishable as felony under multiple provisions of the United States Criminal Code. Acosta Perez’ sentencing coincides with the Justice Department’s announcement of its March 2, 2023 filing of similar criminal charges against the operator of a chain of substance abuse clinics and others for their alleged involvement in millions of dollars of false charges billed to private health plans, Medicare and Medicaid for substance abuse addition treatment not provided.

The conviction and sentencing of Acosta Perez and the newly announced charges against operators of a chain of addiction treatment clinics in Massachusetts and Rhode Island and others for alleged ahealth care fraud aggravated identity theft, money laundering and obstruction in relation to alleged billing of millions of dollars of false charges to private health plans, Medicare and Medicaid for substance abuse treatment by clinics highlight the continuing threat fraudulent actors present for self-insured and other private health plans, Medicare and Medicaid, as well as the potential criminal prosecution and consequences those individuals convicted of these crimes risk from their criminal activity.

Acosta Perez Conviction & Sentencing

The co-founder of Romero Rehabilitation Physical Therapy Inc. and Empire USA Inc. in Louisville and Imaging Group Center Inc. in Atlanta plead guilty to one count of conspiracy to commit healthcare fraud in February, 2023, after the U.S. Department of Labor found the operators collected $258,000 from 15 self-funded healthcare benefit programs for services they never provided based on fraudulent claims made between 2016 and 2018.

In June, 2018, a federal grand jury indicted Acosta Perez and fellow co-founder Eduardo Chinea-Martinez and others on multiple counts of Health Care Fraud in violation of 18 U.S.C. §1347, Theft from a Health Care Benefit Program in violation of 18 U.S.C. §669, Aggravated Identity Theft in violation of 18 U.S 8 U.S.C. §1028A, Money Laundering in violation of 18 U,S,C. §1956, Mail Fraud in violation of 18 U.S.C Chapter 63 and aiding and abetting in the commission of these violations under 18 U.S.C. §1349. billing various healthcare benefit programs through claims administrators Humana, CIGNA and United Healthcare for $4.7 million for services never provided. The U.S. Criminal Code authorized potential sentences of between 10 to 20 years of imprisonment as well as subjected charged defendants to asset forfeiture upon conviction.

The grand jury inditement and subsequent prosecution of Acosta Perz and a fellow co-founder resulted from an Employee Benefit Security Benefit Administration investigation that found that, between May 2015 and January 2016, Acosta Perez and Eduardo Chinea-Martinez co-founded three companies to intentionally defraud various healthcare benefit programs. Investigators also determined Acosta Perez opened bank accounts for the fictitious businesses at JPMorgan Chase Bank, Wells Fargo Bank and Bank of America. Acosta Perez and Chinea-Martinez. The indictment charges that Acosta Perez and Chinea-Martinez misappropriated and used patients’ names, dates of birth, insurance/policy numbers, addresses, and patient IDs/Social Security Numbers, without the patients’ knowledge and names and National Provider Numbers (“NPIs”) from uninvolved doctors without the doctors’ knowledge to create claims for payment by representing these uninvolved doctors and clinics allegedly ordered or performed the services in the false and fraudulent billings submitted by defendants for payment to submit fraudulent claims. The fraudulent claims directed the plans to send payment for the billed services to a Regus virtual office location in Louisville, Kentucky. Acosta Perez then directed Regus via email to forward all mail to Romero Rehabilitation Physical Therapy. According to the indictment, using this process to submit claims for payment for the fraudulent services, Chinea-Martinez and Acosta Perez billed approximately $4,700,000 in fraudulent medical services to the self-insured plans and received payment for $258,000.

In March 2020, the court sentenced Chinea-Martinez to 42 months in prison and three years of supervised release for his part in the scheme. However, before his in June 2018, Acosta Perez fled the U.S. On July 22, 2022, however, the Italian government granted the request of the U.S. for the extradition of Acosta Perez and surrendered him to U.S. authorities. Acosta-Perez was arrested in June 2022.

New Health Care Fraud Charges Against Rhode Island and Massachusetts Addiction Treatment Chain Operators

Acosta-Perez’s sentencing coincides with the Justice Department’s March 2, 2023 announcement of its filing of a host of similar charges in Rhode Island against the operator of a chain of addiction treatment clinics and others for alleged aggravated identity theft, money laundering and obstruction in relation to theft of the identities and other patient and provider information and using their information to file false charges billed to private health plans, Medicare and Medicaid for substance abuse treatment by clinics.

Michael Brier, Mi Ok Bruining and Recovery Connections Centers of America, Inc. (RCCA) are charged in a federal criminal complaint with health care fraud and Michael Brier also is charged with aggravated identity theft, money laundering and obstruction. In addition, the treatment center and its former supervisory counselor were also charged with health care fraud. The Justice Department announcement of these charges reminds readers that its federal criminal complaint is merely an accusation and that the defendants are presumed innocent unless and until proven guilty.

The Justice Department alleges in court documents that, Brier, Bruining, and RCCA shortchanged Rhode Island and Massachusetts substance abuse disorder patients out of much needed counseling and treatment services, while defrauding Medicare, Medicaid, and other health insurers out of millions of dollars.

According to the charging documents, Brier, Bruining and RCCA operated a chain of addiction treatment centers but failed to provide the patients with the required counseling sessions and treatment, while simultaneous billing Medicare, Medicaid and other health care payors for 45-minute counseling sessions on a routine basis even though the sessions were not more than 15 minutes, and often only 5-10 minutes or less.  At times, so many counseling sessions were billed at this level that the total amount of time would be impossible for the available therapist to have provided in any 24 hours period. 

Brier and RCCA are also alleged to have caused a fraudulent application to be submitted to Medicare which, among other things, misrepresented and concealed the role that Brier was playing in the business and failed to disclose Brier’s 2013 criminal conviction for federal tax crimes, which was relevant to Medicare’s consideration of the application. 

The Complaint also alleges that Brier purported to practice medicine and wrote and caused to be filled fraudulent prescriptions using the names and prescriber information, including Drug Enforcement Administration numbers, of doctors without their permission.

Brier is also alleged to have falsified a document in a matter within the jurisdiction of an agency of the United States by causing the Medical Director to sign a false and back-dated document.

The complaint alleges that defendants caused millions of dollars in fraudulent billings to be submitted to Medicare and millions more in fraudulent billings to other health care payors. The government is also seeking to forfeit thirteen bank accounts, two buildings, and two vehicles allegedly realized by the defendants as a result of the alleged criminal conduct.

The two prosecutions highlight the continuing challenge health plans and other health care payers face from fraudulent claims submitted by criminal actors intent on deliberately defrauding health plans through schemes to knowingly defraud plans by creating and filing false claims. Health plans and their fiduciaries and administrators should be vigilant in their efforts to identify and protect their health benefit programs against these schemes and if victimized or presented with evidence of these schemes, should work with experienced legal counsel to prudently investigate these concerns and report relevant findings to the EBSA, the Department of Justice Health Care Fraud Task Force or both.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer’s work throughout her 35 year career has focused heavily on working with employer and other staffing and workforce organizations, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends businesses on FLSA, CAS, SCA, Davis-Bacon, Equal Pay Act and other wage and hour, compensation and benefit and other Human Resources, Guideline Program and other compliance, risk management and other internal and external controls in a wide range of areas and has published and spoken extensively on these concerns.

Ms. Stamer also is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on workforce, compensation, and other operations, risk management, compliance and regulatory and public affairs concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving, and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Medical Clinic Co-Founder Sentencing & New Charges Filed Against Substance Abuse Clinic Operator Highlight Threat Health Plans Face From Health Plan Fraud Scammers | Claims, Claims Administration, Corporate Compliance, ERISA, Health Care Fraud, Health Plans | Permalink
Posted by Cynthia Marcotte Stamer

$1.25 Million Cybersecurity Breach Settlement & Other Heightening Enforcement Warn Health Plans & Others To Fix Cybersecurity

February 4, 2023

Phoenix-based nonprofit health system Banner Health and its affiliates (“Banner Health”) paid $1.25 million and agreed to take corrective actions to resolve its exposure to potentially much greater Health Insurance Portability and Accountability Act (HIPAA) Security Rule civil monetary penalty exposure for a 2016 cyber hacking breach that compromised the person health information of 2.81 million consumers. OCR used its February 2 announcement of the Banner Health settlement to warn health plans, health care providers, health care clearing houses (“covered entities”) and business associates covered by HIPAA to guard their own system containing protected health information against breach by cyber hacking even as the Department of Labor and other agencies are stepping up their cybersecurity rules, oversight and enforcement.

Banner Health Settlement

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona, and one of the largest in northern Colorado. 

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions.  The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically. 

Under the Resolution Agreement and Corrective Action Plan negotiated to resolve these potential violations, Banner Health paid $1,250,000 to OCR. Banner Health also agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Under the corrective action plan, Banner has agreed to take the following steps:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
  • Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

OCR Warns Other HIPAA-Covered Entities

In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. OCR’sannouncement of the serrlement reports 74 percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents.

The announcement also notes OCR offers an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules, 

The settlement and OCR’s announcement warn other covered entities and business associates to use these and other necessary resources to protect their systems with protected health information from cyber hacking and other breaches.

In conjunction with reminding other covered entities of these resources, the settlement announcement quotes OCR Director Melanie Fontes Rainer as warning, ‘Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals, … It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. … Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

OCR’s enforcement record confirms these are not idyl threats. Breaches of the Security or Breach Notification Rules often result in significant civil monetary penalty assessments or negotiated settlements to mitigate civil liability exposures arising out of such breaches. See e.g.,  Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches(October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020). 

Alerts issued by OCR regarding heightened security risks in recent months and a growing tide of highly publicized breaches send a strong warning to other covered entities and their business associates to reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections by among other things:

  • Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
  • Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
  • Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
  • Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
  • Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected 
    violations or other indicia of potential security concerns.
  • Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
  • Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
  • Establishing and providing well-documented timely investigation and redress of reported 
    violations or other compliance concerns.
  • Establishing contingency plans for responding in the event of a breach. 
  • Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
  • Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
  • Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Beyond these HIPAA exposures, breaches and other HIPAA noncompliance carries other liability risks. Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders.  For instance, the Department of Health & Human Services has warned health care providers participating in Medicare or other federal programs and Medicare Advantage health plans that HIPAA compliance is a program term of participation. 

Health care providers and health insurers can face liability under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards. 

Health plans also face a myriad of other exposures from failing to use appropriate cyber safeguards. Plan fiduciaries of employment based health plans covered by the Employee Retirement Income Security Act (“ERISA”} risk liability under ERISA’s fiduciary responsibility rules. The Department of Labor Employee Benefit Security Administration (“EBSA”) now audits the adequacy of the cybersecurity and other HIPAA compliance of health plans and their third party administrators and other business associates as part of EBSA’s oversight and enforcement of ERISA. Department of Labor Assistant Secretary for EBSA Lisa Gomez confirmed audit and enforcement of cybersecurity obligations is a key priority in EBSA’s current work plan in her February 4, 2023 comments to the American bar Association.

Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other public companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations.

Furthermore, appropriate cyber security practices also may be advisable elements for organizations to include in their Federal Sentencing Guideline Compliance Programs to mitigate potential organization liability risks under federal electronic crime and related laws. 

In the face of these risks and warnings, all covered entities and their business associates should reassess and confirm the adequacy of their and their business associates’ cyber security defenses and breach response preparations.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health, health plan and managed care industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 35 year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends HIPAA covered entities, business associates and other organizations on HIPAA and other cyber, privacy and data security concerns and has published and spoken extensively on these concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on $1.25 Million Cybersecurity Breach Settlement & Other Heightening Enforcement Warn Health Plans & Others To Fix Cybersecurity | Association Health Plan, Civil Monetary Penalties, Corporate Compliance, Cybercrime, Cybersecurity, Data Breach, Data Security, Electronic Medical Record, Emploeyrs, employee, Employee Benefits, Employer, Employers, Federal Sentencing Guidelines, FTC, Government Contractors, government employer, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, Health IT, health plan, Health Plans, HIPAA, HR, Human Resources, insurers, Internal Controls, Internal Investigations, Managed Care, Mental Health, pbm, Personal Health Records, Personal Health Recordss, pharmacy, Physician, Plan Admistrator, PPO, Professional Liability, Protected Health Information, Provider, provider contracting, Retaliation | Permalink
Posted by Cynthia Marcotte Stamer

Federal Agencies Take Aim At Businesses, Benefit Plan Fiduciaries & Service Providers & Others With Lax CyberSecurity & CyberBreach Compliance; Build Defenses By Strengthening Internal & External Controls & Risk Managment

October 19, 2021

Businesses, their employee benefit plan fiduciaries, their employer and other sponsors, their record keepers, financial advisors and other service providers and other business partners face growing pressure to shore up cyber security and cyber breach compliance and other safeguards to defend against a slew of  new and ongoing federal cyber security and breach regulatory and enforcement the Biden-Harris Administration is rolling out in its effort to stem the rising tide of  cybersecurity incidents.

Agencies Targeting Businesses, US Entities & Their Leaders For CyberSecurity & CyberBreach Regulation & Enforcement

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced plans to civilly prosecute federal government contractors that fail to follow required cyber security standards under the False Claims Act under a new Civil Cyber-Fraud Initiative to be led by DOJ’s Civil Division’s Commercial Litigation Branch, Fraud Section.  While adding new exposures to the already substantial exposures  federal government contractors and grant recipients already face for failing to comply with applicable cybersecurity and cyberbreach notifications under federal and state laws, the Civil Cyber-Fraud Initiative also provides more evidence that the Biden-Harris Administration is serious about moving forward on its broader strategy to stem the recurrent waves of disruptive cyber breaches and other security incidents buffeting U.S. public and private institutions and citizens by ramping up cybersecurity regulations, oversight and enforcement against all U.S. organizations.   See e.g., New DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards. May 12, 2021 Executive Order on Improving the Nation’s Cybersecurity; July 28, 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

The DOJ Civil Cyber-Fraud Initiative is the latest in a growing list of new regulatory and enforcement programs placing pressure on U.S. businesses and their leaders to get serious about cybersecurity.  Examples of some of the more far reaching of these new or continuing programs include:

  • Government Contractors. 

Under the Civil Cyber-Fraud Initiative, DOJ plans to use the False Claims Act to prosecute pursue cyber security related fraud by government contractors and grant recipients.  According to DOJ, the initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cyber security products or services, knowingly misrepresenting their cyber security practices or protocols, or knowingly violating obligations to monitor and report cyber security incidents and breaches. Federal contractors and grant recipients submitting claims for federal funds will be considered to have filed a false claim in violation of the False Claims Act if their cyber security and cyber breach practices are not compliant with applicable federal requirements when the payment is requested.

  • Federal Health Program Participating Health Care Providers And Plans. 

The DOJ Cyber-Fraud Initiative follows a similar interpretation of the Department of Health & Human Services (“HHS”) Office Inspector General (“OIG”) about the cybersecurity and cyberbreach compliance requirements health care providers and health plan issuers participating in Medicare and certain other federally funded health care programs (“Medicare Participating Providers”) are accountable to meet under the Conditions of Participation for those programs.  HHS OIG’s construction of these Conditions of Participation as including cybersecurity and cyberbreach compliance signs that Medical Participating Providers with deficient cybersecurity practices now may risk program disqualification and False Claims Act liability along with their already well-known exposure to civil monetary penalties under the Health Insurance Portability & Accountability Act (“HIPAA”) protected health information privacy, security and data breach rules.

  • Health & Other Employee Benefit Plans. 

Health plans and other employee benefit plans, their fiduciaries, record keepers and service providers also face growing cybersecurity responsibilities and risks.  While HHS Office of Civil Rights (“OCR”) continues to clarify and expand its interpretation, investigation and enforcement of HIPAA privacy, security and data breach rules against health plans, health care providers, health care clearinghouses and their business associates, the Department of Labor Employee Benefit Security Administration is turning up the heat on employee benefit plan fiduciaries to prudently protect their employee benefit plan assets and participants against cyberthreats.

On April 14, 2021, the Department of Labor Employee Benefit Security Administration (“EBSA”) made official its interpretation of the duty of prudence applicable to employee benefit plan fiduciaries under Section 404 of the Employee Retirement Income Security Act (“ERISA”) includes a duty for ERISA-covered employee benefit plan fiduciaries to take “appropriate precautions” to mitigate risks to plan participants and assets from both internal and external cybersecurity threats. The April 14 announcement makes official EBSA’s interpretation of the duty of prudence applicable to fiduciaries of ERISA-covered employee benefit plans as extending to a duty to act prudently to safeguard plan assets and plan participants against cybersecurity threats.

Concern about cyberthreats to private employee benefit plans covered by ERISA, their participants and beneficiaries has soared as massive data breaches  Federal Thrift Savings Plan, Anthem, Capital Onethe Public Employees Retirement Association of New Mexico and other employee benefit plans, their vendors and service providers increasingly have impacted millions of employee benefit plans, their accounts and participants.

While Congress chose to subject health plans to the detailed health privacy, security and breach rules of HIPAA and financial and certain other employee benefit plan service providers to consumer financial disclosure and data information security requirements of laws like Gramm-Leach-Bliley Act and the Fair and Accurate Credit Transactions Act, and even employers and others conducting background and other credit checks to the  Fair Credit Reporting Act, growing awareness of the cyberthreat to employee benefits has not prompted Congress to date to extend those laws or otherwise to enact express statutory requirements for employee benefit plans and their fiduciaries.  However, private litigants and others increasingly have speculated that a fiduciary duty to safeguard plan asset against cyberthreats might be subsumed in the obligation of fiduciaries under Section 404 of ERISA at all times to act with “the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.” See, e.g., See Record $16M Anthem HIPAA Settlement Signals Need to Tighten Your Health Plan HIPAA Compliance & Risk Management.

While EBSA has worked to formulate its recently announced positions, private litigants increasingly have begun debating the applicability and effect of ERISA on cyberbreaches involving ERISA regulated plans.  See e.g., In re Anthem, Inc. Data Breach Litig., No. 15-CV-04739-LHK, 2015 WL 7443779, at *1 (N.D. Cal. Nov. 24, 2015)(holding Anthem entitled under ERISA to remove claims to federal court and refusing employee benefit plan participants’ motion to remand to state court state claims arising from data breach); In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783 (N.D. Cal. May 27, 2016)(refusing to dismiss participant claims against non-Anthem defendants for lack of standing), motion reconsideration denied In re Anthem, Inc. Data Breach Litig., No. 15-CV-04739-LHK, 2016 WL 324386 (N.D. Cal. Jan. 27, 2016); Bartnett v. Abbott Lab’ys, No. 20-CV-02127, 2021 WL 428820, at *5 (N.D. Ill. Feb. 8, 2021) (dismissing breach of fiduciary duty claim based on inadequate evidence); In re: Premera Blue Cross Customer Data Sec. Breach Litig., No. 3:15-MD-2633-SI, 2017 WL 539578, at *21 (D. Or. Feb. 9, 2017). While mostly unsuccessful to date for procedural or factual sufficiency reasons, the preemption issues argued in many of these cases support concerns that under the proper circumstances ERISA could apply to breaches involving plans or their participants.  As these and other actions continue to wind their way through the courts, EBSA also has begun to acknowledge that ERISA plan fiduciaries duties of prudence include cybersecurity responsibilities.

EBSA’s first official recognition of a cybersecurity responsibility by plan fiduciaries appears in the Default Electronic Disclosure by Employee Pension Benefit Plans Under ERISA Final Rule (the “Electronic Disclosure Rule”), which took effect July 27, 2020 . In the discussion of its requirements regarding website-based electronic disclosures in Subpart (e)(3), the Electronic Disclosure Rule requires that “[T]he administrator must take measures reasonably calculated to ensure that the website protects the confidentiality of personal information relating to any covered individual.”  Similarly, the requirements for using e-mail to provide electronic disclosures in Subsection (k)(4) of the Electronic Disclosure Rule require the plan administrator to take “measures reasonably calculated to protect the confidentiality of personal information relating to the covered individual.”  While recognizing these cyber security responsibilities in the Electronic Disclosure Rule, however,  EBSA explained in the Preamble to the Electronic Disclosure Rule that it decided not to include more cumbersome cybersecurity requirements in the Electronic Disclosure Rule out of concern over the cost and other burdens of such requirements.  Nevertheless, the Electronic Disclosure Rule imposed a responsibility by plan fiduciaries of employee benefit plans making electronic disclosures to ensure that electronic recordkeeping systems have in place reasonable controls, adequate records management practice, and other measures calculated to protect Personally Identifiable Information.

EBSA’s April 14, 2021 reflects EBSA now views the fiduciary responsibilities of ERISA-covered employee benefit plan fiduciaries generally as including the responsibility to take “appropriate precautions” to mitigate risks to plan participants and assets from both internal and external cybersecurity threats. Beyond acknowledging a duty to take prudent steps to protect plans assets and participants against internal and external cybersecurity threats, EBSA also shared the following three resources to help plan sponsors, fiduciaries and participants to safeguard benefit plans and personal information against emerging cyber threats:

  • Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
  • Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
  • Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.
  • Participants in Securities Markets, Market Infrastructure Providers & Vendors. 

Meanwhile the Securities and Exchange Commission (“SEC”) also has made clear its expectation that all firms participating in the securities markets, market infrastructure providers and vendors will appropriately monitor, assess and manage their cybersecurity risk profiles, including their operational resiliency. Consistent with the shared understanding of best cybersecurity practices shared with the agencies, the SEC guidance makes clear its market involved and impacting regulated entities are accountable for maintaining and enforcing appropriate internal and external controls to prevent, detect and redress cybersecurity threats, including appropriate board governance and risk management, access rights and controls, data loss prevention,mobile security, incident response and resiliency, vendor management, training and awareness and other practices.  See  SEC Office of Compliance Inspections and Examinations Cybersecurity and Resiliency Observations.  Recently announced enforcement actions demonstrate that the SEC is acting on its promise to go after SEC regulated entities that breach these expectations.  See, e.g., SEC Announces Three Actions Charging Deficient Cybersecurity Procedures.

These and other recently announced federal regulatory and enforcement developments send a clear message to businesses and their leadership, employee benefit plan sponsors, fiduciaries, record keepers and other vendors, SEC securities market involved organizations and others to clean up their cybersecurity compliance and risk management.  Beyond the governmental enforcement risks these developments signal, these and other emerging regulatory developments provide added fuel for the already substantial private litigant and government complaints, investigations and prosecutions against businesses, their leaders, their employee benefit plan fiduciaries, record keepers and other service providers,and others.   and their leaders unable to defend the adequacy of their cybersecurity related practices.

Raise Cybersecurity Compliance & Defenses To Mitigate Risks & Liabilities

In the face of these developments, all businesses, employee benefit plan fiduciaries, their employer and other sponsors, record keepers and other vendors and their leaders should prioritize cybersecurity compliance, risk management, oversight and controls.  As part of these efforts, organizations and their leaders should move quickly to position themselves to defend against potential investigation and enforcement risks created by these emerging policies. These efforts should seek to ensure compliance with all applicable statutory, regulatory and contractual requirements as well as institutionalize the necessary operational controls to protect systems, data and operations from cyber breaches and other threats, to detect and redress cyber events promptly, and to ensure that the organization otherwise can demonstrate both their compliance efforts, as well as their timely prudent detection, investigation, reporting, mitigation and remediation in response to actual or suspected cyber threats or other compliance breaches.

Efforts should begin by taking carefully crafted, well-documented documented steps to prudently evaluate and strengthen  cybersecurity and breach safeguards and compliance, as well as prudently to assess and verify those of their vendors and others involved with their employee benefit plans or their administration within the scope of attorney-client privilege.

Assessments should take into account all existing required statutory, regulatory, and contractual controls and practices, documentation and other procedures.  In addition, organizations should consider the advisability of adopting other “best practice” safeguards or actions taking into account relevant agency guidance and resources,  government or other contracts, other industry or related standards, known and suspected breaches, “red flags” and threats, their own, their vendor and business partner and other risk profiles and experience, and other factors likely to be viewed as prudent under the circumstances.

In assessing, designing and administering the cybersecurity processes, organizations and their leaders should give due attention to assessing and addressing the adequacy of their internal and external controls to ensure the adequacy of their systems, processes, oversight and response practices and capabilities as of the time of the assessment and on an ongoing basis.  Beyond establishing required policies and formal controls, organization should ensure that their organizations have in place the necessary policies and practices to monitor and control cyberthreats arising from conduct and risks created by employees and other internal workforce, vendors and other parties interacting with the business and its operations.  As part of these efforts, most organizations will need to evaluate their contractual obligations and requirements for vendors, suppliers and others interacting with their businesses. Beyond general contractual compliance obligations, organizations should weigh requiring contractors, suppliers and other business partners to make specific commitments to maintain and monitor compliance and other risks, to provide timely notice and reports, to cooperate with audits and investigations necessary or advisable to respond to private or government complaints, government or other investigation, reporting or other requirements, their own compliance and risk assessments, audits and investigations and other compliance and risk management efforts.  Organizations also should give careful attention and review the adequacy of protections and responsibilities arising from contractual cybersecurity and breach notice, investigation, cooperation, indemnification,  insurance and other associated protections and cooperation.

Organizations also should consider establishing and administering processes for independent monitoring of regulatory, news, and other reports that could provide early warning of potential cybersecurity weaknesses, threats and breaches.

All processes should include appropriate governance, oversight and reporting to provide for ongoing monitoring and oversight necessary to identify and respond to evolving risks arising in the course of their operations as well as consistent practices for carefully documenting their compliance and risk management compliance efforts.

Because of the frequently high cost of breach investigation, response and mitigation, most organizations will want to consider securing cyber liability or other coverage, require vendors and other business partners to provide cyber liability indemnifications backed up with insurance or other adequate assurance of their ability to fulfill these financial responsibilities.

 More Information

We hope this update is helpful. For more information about or assistance with these or other workforce, internal controls and compliance or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, and author of the “Medical Privacy” Chapter in the BNA/ERISA Litigation Treatise, the “Other Torts Chapter” in the BNA/ABA E-Heath & Other Torts Treatise, “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other highly regarded data privacy and security, workforce and health care change and crisis management and other highly regarded publications and presentations, Ms. Stamer is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with private and public employer, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  In the course of this work, she has had extensive involvement in the design, administration and defense of payroll, employee benefit, insurance, securities, trade secret and other confidential information and other internal and external record and data systems and processes as well as investigation, reporting, redress and mitigation of cyber and other incidents.

As a part of this work, she has continuously and extensively worked with domestic and international health and other employee benefit plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.  She also has extensive experience dealing with OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, current RPTE Welfare Benefit Committee Co-Chair and former Chair of its Fiduciary Responsibility, Plan Terminations and Distributions and Defined Contribution Plan Committees, a former JCEB Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former SHRM Consultants Board and Region IV Chair, former Texas Association of Business Board, BACPAC Board and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE:   These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any situation and does not necessarily address all relevant issues. Because developments could impact the currency and completeness of this discussion, the author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2021 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™.

Comments Off on Federal Agencies Take Aim At Businesses, Benefit Plan Fiduciaries & Service Providers & Others With Lax CyberSecurity & CyberBreach Compliance; Build Defenses By Strengthening Internal & External Controls & Risk Managment | Association Health Plan, Corporate Compliance, corporate governance, Cybercrime, Cybersecurity, Data Breach, Data Security, EBSA, Employee Benefits, Employer, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, Government Accountability, Government Contractors, government employer, government plan, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, Health Care Sharing Ministries, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, health reform, HIPAA, HIPAA, Medicare Part D, multiple employer plan (Meps), Personal Health Records, Personal Health Recordss, Privacy, Protected Health Information, Public Policy, Retirement Plans, SEC | Permalink
Posted by Cynthia Marcotte Stamer

DOJ Omnicare/CVS Suit Highlights Potential Pharmacy Benefit Claims Abuse Exposure For Health Plans, Member Safety Risk

December 18, 2019

A civil health care fraud lawsuit filed by the Department of Justice (“DOJ”) in the U.S. District Court for the Southern District of New York today (December 17, 2019) against the nation’s largest long term care pharmacy provider, Omnicare, and its parent, CVS Healthcare Corporation may signal the advisability for insurers, fiduciaries, administrators and sponsors of insured and self-insured health and other benefit plans providing pharmacy benefits to tighten claims and audit past claims payments for prescription drug claims submitted by Omnicare and other CVS pharmacy providers as well as other pharmacy claims to the pharmacy possessed a valid, current prescription to dispense the drug.

Omnicare Complaint Highlights Potential Prescription Drug Fraud By Billing For Filling Expired Prescriptions

In its U.S. ex rel Bassan complaint in intervention (Omnicare and CVS) complaint DOJ joined by 29 states and the District of Colombia filed suit against Omnicare, and its parent company, CVS Healthcare Corporation for damages and civil penalties under the False Claims Act for fraudulently billing federal healthcare programs for hundreds of thousands of non-controlled prescription drugs that DOJ claims Omnicare illegally dispensed to elderly and disabled individuals in assisted living facilities, group homes, independent living communities, and other non-skilled residential long-term care facilities (“LTC facilities”) without a valid, current prescription..  The States of California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Illinois, Indiana, Iowa, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nevada, New Jersey, New Mexico, New York, North Carolina, Oklahoma, Rhode Island, Tennessee, Texas, Vermont, Virginia, Washington, Wisconsin, and the District Of Columbia are joining the DOJ in the complaint as co-plaintiffs.

Omnicare is the country’s largest provider of pharmacy services to LTC facilities.  It currently operates approximately 160 pharmacies in 47 states across the United States, which dispense tens of millions of prescription drugs to LTC facilities that serve elderly and disabled individuals.  CVS acquired Omnicare in May 2015, and shortly thereafter assumed an active role in overseeing Omnicare’s operations, including pharmacy dispensing practices and systems.

The DOJ complaint in the Federal District Court in Manhattan, New York charges that Omnicare illegally dispensed and billed the federal government and patients for antipsychotics, anticonvulsants, and antidepressants Omnicare dispensed to elderly and disabled residents in LTC facilities without proper prescriptions.   According to the DOJ complaint from 2010 until 2018, Omnicare and CVS allowed Omnicare pharmacies to dispense non-controlled prescription drugs to tens of thousands of elderly and disabled individuals living in LTC facilities based on prescriptions that had expired, were out of refills, or were otherwise invalid.  Omnicare repeatedly disregarded prescription refill limitations and expiration dates that required doctor visits to reevaluate whether the drug should be renewed.  Instead of requesting new prescriptions when old ones expired, Omnicare allowed prescriptions to “roll over.”  At Omnicare, “rolling over” a prescription meant that when a prescription expired, Omnicare’s computer systems would assign the old prescription a new number and the pharmacy would continue to dispense the drug indefinitely without the need for a prescription renewal.  Depending on the computer system used, DOJ claims Omnicare also sometimes assigned a fake number of authorized refills to a prescription – usually 99 allowable refills for Medicare patients – to allow for continuous refilling.  DOJ claims that Omnicare pharmacies “rolled over” prescriptions for elderly and disabled individuals living in more than 3,000 residential long-term care facilities, including assisted living facilities operated by the largest long-term care providers in the country, such as Brookdale Senior Living, Atria Senior Living, Sunrise Senior Living Services, and Five Star Senior Living. DOJ charges that Omnicare used these practices to refill prescriptions for patients after the required prescription for refill expired for months, and sometimes years, after the prescriptions expired.   The complaint alleged that Omnicare internally referred to these renumbered expired prescriptions as “rollover” prescriptions.

Many of the prescription drugs dispensed by Omnicare without valid prescriptions treat serious, chronic conditions, such as dementia, depression, and heart disease.  They include antipsychotics, anticonvulsants, cardiovascular medications, anti-depressants, and other drugs that can have dangerous side effects and need to be closely monitored by doctors, particularly when taken in combination with other drugs by elderly patients.

DOJ says these Omnicare practices of illegally dispensing drugs to elderly and disabled individuals living in LTC facilities exposed these vulnerable individuals to a significant risk of harm.  In contrast to traditional skilled nursing homes, where residents have access to 24-hour medical care supervised by doctors, assisted living and other non-skilled residential facilities offer more limited medical care, or none at all.  In particular, these LTC facilities generally do not have doctors on staff to oversee and monitor residents’ drug therapy.  By repeatedly dispensing potent drugs without current and valid prescriptions, Omnicare jeopardized the health and safety of tens of thousands of individuals who continued to take the same drugs for months, and sometimes years, without consulting their doctors to determine whether the medications were still clinically appropriate.

A large percentage of the long-term care residents served by Omnicare are beneficiaries of federal healthcare programs. The complaint charges that along with illegally filling the expired prescriptions, Omnicare knowingly transmitted false information to these federal healthcare programs that made it appear that drug dispensations were supported by current, valid prescriptions from physicians when in fact they were not.   By dispensing drugs without valid prescriptions, Omnicare presented, or caused to be presented, hundreds of thousands of false claims to Medicare, Medicaid, and TRICARE that were ineligible for payment in violation of the False Claims Act.  In fact, the complaint charges that Omnicare managers exerted pressure on overwhelmed pharmacy staff to fill prescriptions quickly so that Omnicare could submit claims and collect payments on these rollover claims.

Moreover, DOJ says that it possesses evidence that senior management at Omnicare and CVS knew of the practices.  The DOJ complaint charges among other things that the Omnicare’s Compliance Department succinctly acknowledged the problem in an internal April 2015 email in which one Regional Compliance Officer stated:  “An issue that I am running into more and more in multiple states concerns the ability of our systems to allow prescriptions to continue to roll after a year to a new prescription number without any documentation or pharmacist intervention.”  A compliance officer then forwarded the email to the head of Omnicare’s Third Party Audit group, who responded that she had a “potential solution (programmed last year) but no one is rolling it out now.”

In today’s announcement of the lawsuit, Manhattan U.S. Attorney Geoffrey S. Berman said:  “As alleged, Omnicare put at risk the health of tens of thousands of elderly and disabled individuals living in assisted living and other residential long-term care facilities by dispensing drugs for months, and sometimes years, without obtaining current, valid prescriptions from doctors.  A pharmacy’s fundamental obligation is to ensure that drugs are dispensed only under the supervision of treating doctors who monitor patients’ drug therapies.  Omnicare blatantly ignored this obligation in favor of pushing drugs out the door as quickly as possible to make more money.  This Office will continue to hold accountable those who put at risk people’s health and safety just to turn a profit.”

Meanwhile, HHS-OIG Special Agent in Charge Scott J. Lampert said:  “Failing to consult doctors as to whether prescriptions should be refilled places patients’ health and medical care at serious risk.  These automatic rollover refills could have significant consequences for vulnerable people in long term-care facilities.  We will continue working with law enforcement partners to protect people depending on these taxpayer-funded government health programs.”

Charges Suggest Potential Advisability For Plan Audit of Prescription Drug Charges To Confirm Supported By Valid Prescription For Dispensed Drugs

The charges made in the complaint filed against Omnicare highlight an area of claims payment eligibility not regularly verified by many pharmacy benefit and other health claims administrators when administering pharmacy benefit claims- the existence of a current valid prescription to support the dispensation of the billed prescription medication.  Except for pain management and certain other medications flagged by regulators or benefit systems as subject to heightened abuse risks, many plan administrators regularly take for granted existence of a current, valid script for many common, frequently issued and renewed, low cost prescriptions issued within frequency and other guidelines based upon the assumption that legal and ethical obligations of pharmacists and pharmacies under licensing, Drug Enforcement Agency and other rules generally provides adequate deterrence against abuses like those the DOJ accuses Omnicare of engaging in its complaint.  However, growing corporate or other nonprofessional ownership or management of pharmacies and their management coupled with very limited, virtually all complaint driven oversight of federal and state regulatory and ethical agencies is diminishing the frequency and effectiveness of such oversight.  As evidenced by the Omnicare complaint, scrupulous pharmacies may leverage opportunities allowed by this limited oversight to dispense and bill for commonly renewed prescription medication without proper orders in a manner that potentially places patients at risk at the expense of plans and their participants, beneficiaries, sponsors and insurers.  Plans, insurers, fiduciaries, plan sponsors and administrators concerned about these risks may want to use the Omnicare lawsuit announcement as an opportunity to educate plan members and their caregivers about the importance of monitoring prescriptions, their refills and claims for abuse; audit and encourage plan members and their caregivers of members with claims paid with respect to Omnicare and other pharmacy claims’ and take other steps to assess the adequacy and tighten as appropriate their existing pharmacy benefit review procedures for verification of the existence of a current, valid prescription to mitigate these exposures.  These exposures are further heightened by the widespread practice of outsourcing of pharmacy claims to prescription benefit management or other speciality pharmacy claims providers in many health plan designs including vendoirsand service providers owned or managed by parents or related companies of the pharmacy filling and billing for the scripts.

Health plan fiduciaries, administrators and sponsors that discover potential deficiencies in the validity of a prescription or other elements of a received or previously paid prescription benefit or other claim are cautioned to review and follow the applicable ERISA and for insured plans, state insurance, Patient Protection and Affordable Care Act (“ACA”) and contractual claims and appeals timelines and processes.  Failure to follow these requirements can undermine the enforceability of plan remedies as well as expose the plan, its insurer or fiduciary to administrative penalties and other liabilities.  Additionally, violations of the ACA mandated procedures also  in the case of employment based plans also could expose  the sponsoring employer or ubnion to liability for self reporting, self-assessment and payment of penalties under Internal Revenue Code Section 6039D.  Where relevant regulatory or contractual time periods for  denial have already expired either because the claim already was paid or the analysis otherwise was not timely completed in time to meet the deadline, plans may need to rely upon filing health care fraud or other avenues of relief in lieu of attempting to retroactively deny and recoup the questioned amounts in order to avoid violating the ACA and other rules.  Plan fiduciaries and administrators also may need to consider the applicability of offering  review by an independent medical review organization to fulfill ACA or other similar mandatesfor medical judgement based determinations.

More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Ms. Stamer is most widely recognized for her decades-long leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

 

Comments Off on DOJ Omnicare/CVS Suit Highlights Potential Pharmacy Benefit Claims Abuse Exposure For Health Plans, Member Safety Risk | Association Health Plan, Claims, Claims Administration, Corporate Compliance, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, Health Care Fraud, health plan, Health Plans, insurance fraud, pbms, pharmacy, Prescription Drugs, tpa | Tagged: , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

10 Former NFL Payers Charged With Defrauding NFL Retiree Health Fund

December 13, 2019

Ten former National Football League (NFL) players face prosecution for their alleged roles in a nationwide health care fraud scam that Justice Department prosecutors allegedly defrauded the Gene Upshaw NFL Player Health Reimbursement Account Plan (the “Plan)” by submitting more than $3.9 million in false and fraudulent claims between June 2017 and December 2018.

According to the charges brought in two separated indictments filed December 12, 2019 in the Eastern District of Kentucky, the charged players participated in a nationwide conspiracy that resulted in the submission of more than $3.9 million in false claims to the Plan, for which the Plan paid out over $3.4 million between June 2017 and December 2018.  See Buckhalter and Rogers Indictment; McCune et al Indictment.  The Plan established pursuant to the 2006 collective bargaining agreement between the NFL and payers provides a health care reimbursement account to reimburse up to a maximum of $350,000 per player of out-of-pocket medical care expenses a former player, his wife or dependents incurs not covered by insurance.

The indictments charge that the scheme to defraud involved the submission of false and fraudulent claims to the Plan for expensive medical equipment – typically between $40,000 and $50,000 for each claim never purchased or received.  The expensive medical equipment described on the false and fraudulent claims included hyperbaric oxygen chambers, cryotherapy machines, ultrasound machines designed for use by a doctor’s office to conduct women’s health examinations and electromagnetic therapy devices designed for use on horses.   The indictments reflect that no health care providers participated in the scheme.  Rather the players submitted these allegedly false charges without any health care provider participation.

Charged in the two separated indictments include the following former NFL players including five former Washington Redskins.  Those charged and the charges brought include the following:

  • Charges of one count of conspiracy to commit wire fraud and health care fraud, nine counts of wire fraud and nine counts of health care fraud brought against former NFL linebacker Robert McCune, McCune’s career included stints with the Washington Redskins, Miami Dolphins, Baltimore Ravens and Cleveland Browns between 2005 and 2009;
  • Charges of one count of conspiracy to commit wire fraud and health care fraud, two counts of wire fraud and two counts of health care fraud made against:
    • Former Washington Redskins cornerback  John Eubanks who was draft but only played as a practice squad player with the Washington Redskins in 2006-2017 season before going on to play in the Canadian Football League between 2009 and 20011;
    • Tamarick Vanover, a former NFL wide receiver the Kanas City Chiefs, San Diego Chargers and Las Vegas Posse  who was the Atlantic Coast Conference Rookie of the Year while playing for Florida State in 1992; and
    • Carlos Rogers, a former NFL cornerback drafted by the Washington Redskins, who also played for the San Francisco 49ers and Oakland Raiders;
  • Charges of one count of conspiracy to commit wire fraud and health care fraud, one count of wire fraud and one count of health care fraud against:
    • Clinton Portis, a former NFL running back best known for his years as a starting running back for the Washington Redskins, for seven seasons, who also played with the Denver Broncos during his 10 year NFL career;
    • Ceandris “C.C.” Brown, a former safety drafted by the Houston Texans in 2005 who after three seasons with Houston was signed by the New York Giants, Detroit Lions and Jacksonville Jaguars;;
    • James Butler, a former NFL safety for the New York Giants from 2005-2008 Seasons and with the St. Louis Rams from 2009-2012; and
    • Fredrick Bennett, a grid iron defensive back drafted by the Houston Texans in 2007 before being traded to the San Diego Chargers in 2010, the Cincinnati Bengals in 2010, and the Arizona Cardinals in 2011 before going on to play in the Canadian Football League from 2012 to 2016.  Bennett is currently a NFL free agent; and
  • Charges of one count of conspiracy to commit wire fraud and health care fraud against:
    • Correll Buckhalter, a former NFL running back who played with the Philadelphia Eagles from 2001 to 2008 and the Denver Broncos from 2009 to 2010;
    • Etric Pruitt, a former NFL special teams and safety who after having little playing time for most of his NFL career played a major role in Super Bowl XII while signed to the Seattle Seahawks.  In addition to his Seahawks stink in 2005, Pruitt also was signed with the Atlanta Falcons and Detroit Lions during his NFL career.

In addition to the charges brought Thursday, the Justice Department also has filed notice that it intends to file criminal charges alleging conspiracy to commit health care fraud in the Eastern District of Kentucky against the following individuals:

  • Joseph “Joe” Horn, a former NFL wide receiver who played with the Kansas City Chiefs, New Orleans Saints, and Atlanta Falcons between 1996 and 2007.  Horn made the Pro Bowl team four times and is a member of the New Orleans Saints Hall of Fame.  In 2001, Horn made headlines when he and 11 other former NFL plays sued the NFL alleging it failed to properly diagnose and treat head injuries that led to changes in the NFL policies regarding diagnosis and treatment of players for potential brain injuries and the establishment of a traumatic brain injury fund; ;and
  • Donald “Reche” Caldwell a former NFL wide receiver who during his six seasons in the NFL played with the Sand Diego Chargers, New England Patriots, Washington Redskins and St. Louis Rams.

According to allegations in the indictments, McCune, Eubanks, Vanover, Buckhalter, Rogers and others recruited other players into the scheme by offering to submit or cause the submission of these false and fraudulent claims in exchange for kickbacks and bribes that ranged from a few thousand dollars to $10,000 or more per claim submitted.  As part of the scheme, the defendants allegedly fabricated supporting documentation for the claims, including invoices, prescriptions and letters of medical necessity.  After the claims were submitted, McCune and Buckhalter allegedly called the telephone number provided by the Plan and impersonated certain other players in order to check on the status of the false and fraudulent claims.

The indictments reflect the Justice Department’s continuing commitment to investigate and prosecute health care fraud, including fraudulent dealings by plan members and others.of private employeer or union sponsored health plans. If convicted, the defendants could face significant prison sentences and probation and fines.

The Justice Department press release concerning the indictments quotes U.S. Attorney  for the Eastern District of Kentucky Robert M. Duncan Jr.,the Justice Department has “prioritized the investigation and prosecution of health care fraud in our office.” Meanwhile, FBI Special Agent in Charge  of the Miami Field Office George L. Piro is quoted as stating that “This investigation serves as an illustration of the rampant and deliberate scams against health care plans occurring daily throughout the country…”  in this case, these fraudsters pocketed money from the Gene Upshaw National Football League Health Reimbursement Account Plan that was intended for former NFL players who are ill or infirm.  Over 20 FBI field offices participated in this investigation which demonstrates the level of commitment we have to rooting out this type of fraud.”

In addition to the additional costs that employers can incur to fund health plan liabilities, taking prudent steps to detect, prevent and redress fraudulent health plan claims is considered part of the fiduciary duies of heatlh plan fiduciaries under the Employee Retirement Income Security Act.  Fiduciaries found to have failed to take such prudent actions risk personal liability fo rplan losses resulting from fraud committed against their health plans.

The NFL player indictments show taht prosecutions Alone or coupled with the hundreds of other fraud investigations and prosecuations that the Department of Justice and other federal and state agencies pursue each year, send a strong message that the Justice Department and other fedederal agencies stand ready to investigate nad prosecute health care fraud against private employer or union sponsored health plans, as well as fraud against Medicare, Mdicaid and other government programs.

More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates and join discussions about these and other human resources, health and other employee benefit and patient empowerment concerns by participating and contributing to the discussions in our Solutions Law Press Health Care Risk Management & Operations Group and registering for updates on our Solutions Law Press Website.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, as a primary focus of this work, Ms. Stamer has worked extensively with employer and union sponsored health and other employee benefit plans, insurers, third party administrators, plan fiduciaries and other health and other insured and self insured welfare plan, severance plans, defined contribution and other savings plans, defined benefit and other pension plans, incentive pay and deferred compensation programs and other employee benefit industry clients, employers and other plan sponsors, domestic and international health care providers, and as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, the ABA RPTE Employee Benefits & Other Compensation Group and its Welfare Benefits, Fiduciary Responsibiity and other Commitees, Ms. Stamer is noted for her decades-long leading edge work, scholarship and thought leadership on health,care, managed care and insurance, employee benefits, human resources and other workforce and related compliance and internal controls, policy and regulatory affairs, design and operations, and defense including 30 plus years experience working with clients on ERISA, insurance,  STARK, antikickback, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Department of Justice, Department of Labor, Department of Health and Human Services, Department of Insurane, Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of a multitude of highly regarded publications and programs on health and managed care fraud,and  other health care, health plan and other health benefit, health care, employee benefits and other related matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

 

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly

Comments Off on 10 Former NFL Payers Charged With Defrauding NFL Retiree Health Fund | Corporate Compliance, ERISA, fiduciary duty, Fiduciary Responsibility, health benefit, Health Benefits, health Care, Health Care Fraud, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, health reform, insurance fraud | Permalink
Posted by Cynthia Marcotte Stamer