Verify ERISA Bonding Compliance

November 25, 2025

Health, retirement and other employee benefit plan fiduciaries, sponsors and service providers should confirm and document that all plan fiduciaries, service providers and other plan workforce members are properly bonded to protect the plan against fraud and dishonesty, as well as avoid incurring liability for breaching the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (“ERISA”).

ERISA Requires Fidelity Bonding

ERISA imposes fidelity bonding requirements under ERISA §412 and 29 C.F.R. Part 2580 to protect plan assets against loss due to fraud or dishonesty. ERISA §412(a) requires that every fiduciary of an employee benefit plan and every person who ‘handles funds or other property’ of the plan must be bonded against loss resulting from fraud or dishonesty. The Department of Labor (“DOL”) regulations at 29 C.F.R. §2580.412‑6 define handling of funds to include physical contact, power to transfer, ability to sign checks, or supervisory authority over those who handle plan assets.

As ERISA’s bonding requirements are part of ERISA’s fiduciary responsibilities, failure to maintain bonding required by ERISA §412 constitutes a fiduciary breach under ERISA §404(a)(1)(A)-(B), which exposes fiduciaries breaching these obligations to DOL civil penalties, personal liability for losses arising from non‑compliance, and other liabilities.

Who Must Be Bonded

ERISA’s fidelity bonding requirement applies to two categories of persons:

  • Plan fiduciaries, and
  • Non‑fiduciaries who ‘handle’ plan funds within the meaning of 29 C.F.R. §2580.412‑6.

For purposes of determining the individuals and entities subject to ERISA’s bonding requirement, keep in mind that ERISA functionally defines a “fiduciary” as including any person that:

  • Exercises any discretionary authority or discretionary control respecting management of the plan or the management or disposition of its assets,
  • Renders investment advice for a fee or other compensation, direct or indirect, with respect to any moneys or other property of such plan, or has any authority or responsibility to do so, or
  • Has any discretionary authority or discretionary responsibility in the administration of such plan. See ERISA Section 3(21).

Consequently, if an individual or entity functionally possesses or exercises authority or responsibility over the plan or its assets, it is a fiduciary subject to the bonding and other fiduciary requirements of ERISA regardless of whether that party is a named fiduciary or disclaims fiduciary status in an agreement.

Likewise, the ERISA bonding requirement for parties that handle funds also is based on the functional realities. Under DOL Regulations, a person is deemed to handle plan assets if their role creates a risk of loss due to fraud or dishonesty. Examples include:

  • Physical possession of cash, checks, or assets.
  • Power to transfer assets or negotiate instruments.
  • Authority to sign checks or initiate electronic fund transfers.
  • Supervisory authority over individuals who handle assets.

Non‑fiduciary service providers and other members of the plan workforce who do not handle plan funds are not subject to ERISA §412. For instance, DOL Field Assistance Bulletin 2008‑04 states that third‑party administrators that do not control or possess plan assets and cannot authorize disbursements are not required to be bonded. Similarly, other nonfiduciary contractors providing legal, actuarial, consulting, claims‑processing, or IT services fall outside the bonding requirement unless they have direct authority over plan assets. See also 29 C.F.R. §2509.75‑8 without discretionary authority over plan assets generally does not ‘handle’ funds and therefore are not subject to ERISA §412 bonding unless they otherwise are named or function as fiduciaries.

When applying these distinctions for purposes of ERISA’s bonding rules, plan fiduciaries and service providers should look beyond contractual characterizations of the character and nature of the service provider and based their decision regarding whether to require and acquire a bond based on the functional realities. While non‑fiduciary service providers are only required to be bonded if they handle plan funds as defined by ERISA §412 and the DOL regulations, functionally evaluated, certain non‑fiduciary service providers sometimes become subject to bonding if their activities constitute functional “handling” of plan funds. For example:

  • A payroll vendor that transmits employee contributions is handling assets.
  • A recordkeeper with authority to initiate distributions must be bonded.

Conversely, a TPA adjudicating claims but without power to pay benefits is not required to be bonded. service providers and others granted functional authority that exposes plan assets to risk of loss are required to be bonded as individuals that handle funds.

When evaluating whether a service provider or other party “handles funds” for purposes of assessing the applicability of the ERISA bonding requirement in investigations or audits, the DOL usually asks if the party or its employees have:

  • Physical possession of Plan assets?
  • The power to obtain physical possession of plan assets?
  • The power to transfer assets?
  • The authority to disburse Plan funds directly or indirectly?
  • The authority to endorse checks?
  • The authority to make investments?

The DOL Enforcement Manual indicates that “handling” of Plan funds is indicated and bonding is required for each individual or party that (a) has any of these authorities or (b) if the assets are held by a corporate trustee, for any service provider or other party that can direct the payment of benefits or direct the investments to be made by the corporate trustee.

Bond Amount and Coverage Requirements

Where ERISA requires a fidelity bond, ERISA §412(a) and 29 C.F.R. §2580.412‑11 require that the fidelity bond must be at least 10% of the amount of plan funds handled by the individual in the preceding plan year, with a minimum of $1,000 and a default maximum of $500,000 per plan (or $1,000,000 for plans holding employer securities under §412(g)).

An ERISA fidelity bond is a specific type of insurance that protects the plan against losses caused by acts of fraud or dishonesty. The fidelity bond required under ERISA specifically insures a plan against losses due to fraud or dishonesty (e.g., theft) by persons who handle plan funds or property. Fraud or dishonesty includes, but is not limited to, larceny, theft, embezzlement, forgery, misappropriation, wrongful abstraction, wrongful conversion, willful misapplication, and other acts. Deductibles or other similar features are prohibited for coverage of losses within the maximum amount for which the person causing the loss is required to be bonded. While obtaining fiduciary liability insurance also generally is recommended, the bonding requirement is not satisfied by the purchase of fiduciary liability.

The fidelity bond purchased must fulfill the specific requirements of ERISA. For instance, the bond should be issued by a bonding company listed in Treasury Circular 570 and must cover the Plan for loss due to fraud or dishonesty as defined in 29 C.F.R. §2580.412‑9. Fiduciaries should confirm the bond provides for payment to the Plan in the event of loss, name the Plan as an “insured” and have the pay over rider attached unless the Plan is the sole insured under the bond. The definition of employee in the bond must cover all persons who “handle” funds including officers, directors, trustees, employees and the other parties required to be covered by the bond. If the bond contains a deductible, an elimination of deductible rider with the respect to the plan also is needed. Since bonds purchased by third party administrators, financial advisors or other plan service providers to meet state law or professional standards generally do not fulfill these and other ERISA requirements, plans generally should require specific contractual assurances to comply with the ERISA bonding requirements and should obtain and confirm the adequacy of the bonds for service providers and others subject to ERISA bonding requirements.

Liability For ERISA Bonding Violations

Failure to secure a fidelity bond under ERISA can lead to significant legal and financial consequences. Plan sponsors and fiduciaries are required by ERISA to obtain a fidelity bond to protect employee benefit plans from losses due to fraud or dishonesty. Noncompliance can lead to a range of consequences, including auditors’ admonitions, court mandates for removal as plan fiduciaries, plan fiduciary personally liability for losses that should have been covered by a fidelity bond, and EBSA administrative penalties for breach of fiduciary duty. See DOL’s Protect Your Employee Benefit Plan With A Fidelity Bond; Getting It Right: Know Your Fiduciary Responsibilities.

Managing Bonding And Bonding Risks

To avoid violating the bonding requirements, fiduciaries and service providers should both review service agreements and the functional realities to confirm whether any party “handles” funds and to ensure compliance with ERISA bonding requirements.

Service providers that engage in the performance of activities that involve or are likely to be recharacterized as involving the exercise of discretion or the handling of funds should give serious consideration to arranging to maintain a fidelity bond that meets ERISA’s requirement, whether or not the service provider acknowledges or disclaims its status as a fiduciary or handler of plan funds.

Since noncompliance with the bonding requirement is a breach of the fiduciary responsibility requirements of ERISA that could render the fiduciary personally liable for unbonded losses, plan fiduciaries generally should conduct and retain a documented analysis capturing their consideration of whether they and other fiduciaries, service providers, and other members of the plan workforce ar required to be bonded and if so, the actions taken to require and monitor compliance with applicable bonding requirements. Examples of best practices include:

  • Include bonding requirements in plan documents and contracts;
  • Conduct and maintain a documented assessment of the applicability of the bonding requirements when appointing or renewing the appointment of a fiduciary, third party service provider or workforce member to participate in the management or operations of the plan or its assets; and
  • Obtain and review bonds obtained to cover fiduciaries and service providers to verify their currency and adequacy;

When the factual realities raise the possibility that an individual or a party might possess or exercise fiduciary discretion or handle funds, fiduciaries generally will want to err in favor of requiring bonding to protect the plan and to protect themselves against the personal liability that can arise under ERISA Section 502(l) for violation of the bonding requirements, unbonded plan losses arising from fraud or loss by the service provider or both.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on health and other employee benefits, insurance, healthcare, workforce, HIPAA and other data and technology and other compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, insurance, healthcare , data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on Verify ERISA Bonding Compliance | 401(k), Corporate Compliance, ERISA, Fiduciary Responsibility, group health plan, health plan, Health Plans, retirement plan, Retirement Plans, Retirements, self insured health plan | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

DOJ Sues Medicare Advantage Insurers & CVS Under False Claims Act & Antikickback Statute

May 5, 2025

The Department of Justice is suing three of the nation’s largest health insurance companies — Aetna Inc. and affiliates, Elevance Health Inc. (formerly known as “Anthem”), and Humana Inc., CVS Health Corporation, and three large insurance broker organizations — eHealth, Inc. and an affiliate, GoHealth, Inc., and SelectQuote Inc. for violating the False Claims Act (“FCA”) and Antikickback Statute. In the second complaint of its kind in recent months, the Justice Department complaint in ex rel. Shea v. eHealth, et al., No. 21-cv-11777 (D. Mass. May 5, 2025) accuses the defendants of paying or receiving kickbacks to steer Medicare Advantage enrollees to the defendant insurers.

Medicare Advantage Antikickback & False Claims Rules

Under the Medicare Advantage (“MA”) Program, also known as Medicare Part C, Medicare beneficiaries may choose to enroll in health care plans (MA plans) offered by private insurance companies, like defendants Aetna, Anthem, and Humana. Many Medicare beneficiaries rely on insurance brokers to help them choose an MA plan that best meets their individual needs.

Under the FCA, private parties can file an action on behalf of the United States and receive a portion of the recovery. The FCA permits the United States to intervene in and take over the action, as it has done here. If a defendant is found liable for violating the FCA, the United States may recover three times the amount of its losses plus applicable penalties

In a lawsuit originally filed by a former eHealth employee as a qui tam whistleblower complaint, the Justice Department charges that the defendant insurers paid hundreds of millions of dollars in illegal kickbacks to the defendant brokers in exchange for enrollments into the insurers’ Medicare Advantage plans from 2016 through at least 2021. Rather than acting as unbiased stewards, the Justice Department charges that the defendant brokers allegedly directed Medicare beneficiaries to the plans offered by insurers that paid brokers the most in kickbacks, regardless of the suitability of the MA plans for the beneficiaries.

According to the complaint, the broker organizations incentivized their employees and agents to sell plans based on the insurers’ kickbacks, set up teams of insurance agents who could sell only those plans, and at times refused to sell MA plans of insurers who did not pay sufficient kickbacks.

The Justice Department also alleges that Aetna and Humana each conspired with the broker defendants to discriminate against Medicare beneficiaries with disabilities whom they perceived to be less profitable. Aetna and Humana allegedly did so by threatening to withhold kickbacks to pressure brokers to enroll fewer disabled Medicare beneficiaries in their plans.

The Justice Department further alleges that, in response to these financial incentives from Aetna and Humana, the defendant brokers or their agents rejected referrals of disabled beneficiaries and strategically directed disabled beneficiaries away from Aetna and Humana plans.

Commonwealth Care Alliance Prior Kickback Settlement

The eHealth suit against the defendants is not first of its kind. In January, 2025, the Justice Department announced that MA Program insurer Commonwealth Care Alliance, Inc. (“CCA”) agreed to pay $520,355.65 to resolve allegations that Reliance HMO, Inc. (“Reliance”), a company CCA acquired in 2022, violated the FCA by providing cash payments to induce the referral of Medicare beneficiaries to enroll in Reliance’s Medicare Advantage Plan in violation of the Anti-Kickback Statute after CCA voluntarily self-disclosed the conduct to the U.S. Attorney’s Office.

In April 2019, CMS authorized Reliance to operate a MA plan for Medicare beneficiaries in Michigan, with beneficiaries receiving coverage starting in January 2020. On March 31, 2022, CCA announced the completion of its acquisition of a 70% stake in Reliance. After the acquisition, CCA identified concerns regarding certain marketing-related outreach and payments that Reliance agents had made to personnel at physician practices. In particular, CCA disclosed two schemes.

First, from April 12, 2019, through December 22, 2020, Reliance provided cash payments to healthcare professionals and administrative staff in physician practices, in exchange for providing Reliance with the contact information for patients who had agreed, through executing so-called “permission to contact” cards, to be contacted by Reliance regarding its MA plan offerings.

Second, in November 2019, prior to Reliance’s MA plan becoming active, Reliance paid each of four physicians and physician practices $2,500, which Reliance characterized as advances on “coordination of care” services to be provided by the physicians to beneficiaries when the MA plan became active in 2020.

The Justice Department alleged these payments were intended to induce the referral, recommendation, or arrangement of enrollment of Medicare beneficiaries in Reliance’s MA plan. Such payments, the United States alleges, were impermissible kickbacks in violation of the False Claims Act.

The CCA settlement resolved these charges. The settlement gave CCA credit for voluntarily self-disclosing this conduct to the Justice Department; taking remedial measures, including terminating the employees directly involved with the decision to offer the prohibited payments; and providing the United States with a detailed written statement describing its investigation, along with other supplemental information to assist the United States in its investigation.

Alleged Medicare Advantage Insurer Risk Adjustment Padding

Medicare Advantage insurers also are under investigation by the Justice Department for other alleged abuses. The Justice Department recently has investigated certain Medicare Advantage insurers for alleged manipulation of risk data to increase their capitated payments from Medicare. For Instance, the Justice Department recently sued MA Program insurer Independent Health Association and its affiliate, Independent Health Corporation (collectively, “Independent Health”) for allegedly illegally manipulating risk data used to set risk adjustment rates paid by Medicare to their Medicare Advantage plans in United States ex rel. Ross v. Independent Health Association et al., No. 12-CV-0299(S) (WDNY). To settle the litigation, Independent Health agreed to pay up to $98 million to resolve allegations that it violated the False Claims Act by knowingly submitting or causing the submission of invalid diagnosis codes to Medicare for Medicare Advantage Plan enrollees to increase payments that Independent Health received from Medicare. Under the terms of the settlement, Independent Health promised to make guaranteed payments of $34,500,000 and contingent payments of up to $63,500,000 on behalf of itself and DxID, which ceased operations in 2021. Its Chief Executive Officer separately agreed to pay $2,000,000. In addition, Independent Health entered into a five-year corporate integrity agreement (“CIA”) with HHS-OIG that requires among other things, that Independent Health hire an Independent Review Organization to annually review a sample of Independent Health’s Medicare Advantage patients’ medical records and associated internal controls to help ensure appropriate risk adjustment payments.

The Justice Department touts all of these and other investigations and enforcement actions against Medicare Advantage insurers as demonstrating its commitment to hold Medicare Advantage insurers and brokers accountable for kickbacks or other misconduct. In the Justice Department’s press release about the e-Health litigation, Deputy Assistant Attorney General Michael Granston of the Justice Department’s Civil Division. “We are committed to rooting out illegal practices by Medicare Advantage insurers and insurance brokers that undermine the interests of federal health care programs and the patients they serve.”

Risks For Insurers, Brokers, Health Plans & Fiduciaries

These and other actions send a strong warning to insurers and brokers to abstain from prohibited risk adjustment, kickbacks, or other prohibited conduct. Brokers and insurers also should keep in mind that these activities- whether in connection with the sale of Medicare Advantage or other insurance products Past history demonstrates that these activities carry risks beyond the Antikickback Statute and False Claims Act. They also can create exposures under other federal or state laws. The 2004 bid rigging prosecution of Marsh & McClennon by then New York Attorney General Elliott Spitzer is illustrative. On October 14, 2004, then New York State Attorney General Eliot Spitzer sued Marsh & McClennan and Marsh, Inc. (“Marsh”) for bid rigging and violation of various other state laws through its compensation arrangements between Marsh and several insurance companies, and bidding manipulation by Marsh. The largest U.S. insurance broker at the time, Marsh agreed in January 2005 to pay $850 million and end improper bid-rigging in a civil settlement with Spitzer. Attorney General Spitzer also brought criminal charges against individuals involved, some of which produced several guilty pleas. The last of these criminal prosecutions dragged on until 2011, when the New York Attorney General finally dismissed the remaining criminal charges against former Marsh executive marketing director William Gilman and former Marsh global placement director Edward McNenney. Marsh and others also faced charges in other states and private litigation from the scandal.

Kickbacks or other inappropriate compensation arrangements between insurers, brokers or other plan service providers also can create issues for health plan fiduciaries, sponsors, brokers and advisors. Self-insured health plan sponsors, fiduciaries, administrators and their consultants, brokers and insurers also should keep in mind that practices like those challenged in the Justice Department actions also are likely to raise concerns under the fiduciary responsibility and prohibited transaction rules of the Employee Retirement Income Security Act of 1974 (“ERISA”). Consequently, employer and other plan sponsors, their fiduciaries, and their brokers and advisors may wish to visit with experienced legal counsel about the advisability of conducting due diligence into the past, current, or future plan vendor relationships with their own programs.

The Justice Department is touting the lawsuit as an example of its commitment to hold Medicare Advantage insurers and brokers accountable for kickbacks or other misconduct. In the Justice Department’s press release about the action, Deputy Assistant Attorney General Michael Granston of the Justice Department’s Civil Division. “We are committed to rooting out illegal practices by Medicare Advantage insurers and insurance brokers that undermine the interests of federal health care programs and the patients they serve.”

 More Information Or Help

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, insurance, or health care legal developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on health and other employee benefits, insurance, healthcare, workforce, HIPAA and other data and technology and other compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, insurance, healthcare , data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on DOJ Sues Medicare Advantage Insurers & CVS Under False Claims Act & Antikickback Statute | compliance, Corporate Compliance, Discrimination, false claims act, health benefit, Health Benefits, health insurance, health insurance marketplace, health plan, Health Plans, Insurance, insurance fraud, Managed Care, Medicare Advantage, pharmacy | Permalink
Posted by Cynthia Marcotte Stamer

2026 HRA Inflation Adjustments Announced

May 4, 2025

The Internal Revenue Service (“IRS”) published advanced notice of the 2026 inflation adjusted amounts for Health Savings Accounts (“HSAs”) § 223 of the Internal Revenue Code (“Code”) and the maximum amount that may be made newly available for excepted benefit health reimbursement arrangements (HRAs) provided under § 54.9831-1(c)(3)(viii) of the Pension Excise Tax Regulations.

In calendar year 2026, these amounts are as follows:

  • The annual limitation on deductions under § 223(b)(2) for an individual with coverage under a high deductible health plan for self-only is $4,400 and for family coverage under a high $8,750.
  • A “high deductible health plan” under § 223(c)(2)(A) will be defined as a health plan with an annual deductible that is not less than $1,700 for self-only coverage or $3,400 for family coverage, and for which the annual out-of-pocket expenses (deductibles, co-payments, and other amounts, but not premiums) do not exceed $8,500 for self-only coverage or $17,000 for family coverage.
  • For plan years beginning in 2026, the maximum amount that may be made newly available for the plan year for an excepted benefit HRA under Code § 54.9831-1(c)(3)(viii) is $2,200.

Revenue Procedure 2025-19  will be officially published in the May 19, 2025 Federal Register.

For More Information Or Help

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on 2026 HRA Inflation Adjustments Announced | Cafeteria Plans, Corporate Compliance, Employee Benefits, Employer, Employers, health benefit, Health Benefits, health Care, health plan, Health Plans, HR, HSA, Human Resources | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Another Large HIPAA Settlement Warns Health Plans & Other HIPAA Entities To Analyze & Manage Their Hacking & Other Data Susceptibilities

April 24, 2025

Conduct an appropriate risk analysis and take the required steps to protect your electronic health records from phishing and other hacking threats by conducting a thorough risk analysis and otherwise cleaning up your Health Insurance Portability and Accountability Act of 1996 compliance!  That’s the clear message to the Department of Health and Human Services Office of Civil Rights (“OCR”) warns health plans and insurers, health care providers, health care clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) to learn from the $600,000 HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) settlement with Southern California health care network PIH Health, Inc. (“PIH”) the Department of Health & Human Services Office of Civil Rights (“OCR”) announced on April 23, 2025 and the deluge of other ongoing hacking-related HIPAA investigations OCR still is working to resolve.

Phishing & Other Hacking Events Common Cause of Health Plan Breaches

Hacking incidents present a significant cybersecurity threat to health plans and other Regulated Entities’ electronic health and other data.  Phishing and other hacking attacks are among the most common types of large breaches reported to OCR every year. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. 

Phishing and other hacking-related breaches regularly result in OCR’s collection of high-dollar settlements and other costly enforcement actions against health plans and other Regulated Entities. See e.g., HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations (September 11, 2023); Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and UnitedHealthcare Insurance Company (August 24, 2023); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches (October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); nthem pays OCR $16 Million in record HIPAA settlement following largest health data breach in history (October 15, 2018).

The breach and enforcement actions are continuing in 2025. OCR already has announced numerous hacking-related settlements in the first quarter of 2025. See HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Public Hospital (April 17, 2025); HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with Northeast Radiology (April 4, 2025); HHS’ Office for Civil Rights Settles HIPAA Security Rule Investigation with Health Fitness Corporation (March 21, 2025); HHS Office for Civil Rights Imposes a $200,000 Penalty Against Oregon Health & Science University; HHS Office for Civil Rights Imposes a $1,500,000 Civil Money Penalty Against Warby Parker in HIPAA Cybersecurity Hacking Investigation (February 20, 2025); HHS Office for Civil Rights Settles HIPAA Phishing Cybersecurity Investigation with Solara Medical Supplies, LLC for $3,000,000 (January 14, 2025); HHS Office for Civil Rights Settles 9th Ransomware Investigation with Virtual Private Network Solutions (January 7, 2025).

Look for more of these enforcement actions to emerge soon. Between January 1 and April 23, 2025 alone, OCR received 161 hacking-related breach reports from Regulated Entities. OCR’s Breach Portal indicates that on April 23, 2025, OCR had a total of 554 open hacking-related breach investigations, 506 involving health care providers, 47 involving health plans, and one involving a health care clearinghouse.

Health plans and other Regulated Entities will want to take appropriate actions to avoid becoming subject to breaches subjecting them to these investigations and enforcement actions, particularly with OCR Acting Director Anthony Archeval warninghealth plans and other Regulated Entities:

Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]

Duty To Analyze & Manage Hacking & Other Susceptibilities

The HIPAA Privacy, Security, and Breach Notification Rules require Regulated Entities to take specific actions as warranted by their threat susceptibility to protect the privacy and security of electronic protected health information (“ePHI”) from hacking and other improper access, destruction, or disclosure. At the heart of these requirements is the requirement that health plans and other Regulated Entities conduct documented risk analyses of their assessment of the susceptibility information of their ePHI to hacking and other threats. As reflected in the following table of current HIPAA sanctions, violation of these HIPAA requirements exposes a Regulated Entity to significant civil monetary penalties or criminal sanctions.

The HIPAA Security Rule requires a Regulated Entity to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” Meanwhile, the HIPAA Breach Notification Rule requires in 45 CFR § 164.402 that a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. OCR interprets these Rules together also to require Regulated Entities experiencing a breach of ePHI or having evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach as triggering a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. Consequently, OCR constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA in its guidance and educational outreach, as well as by regularly discussing the requirement and role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

Despite OCR’s constant and ever-rising efforts to promote compliance with the Risk Analysis requirements, however, OCR consistently has found deficiencies in Regulated Entities’ Risk Analysis in its breach investigations and audit findings since these rules became effective. As the number and magnitude of reported breaches of ePHI skyrocketing and massive breaches like those experienced in 2024 by UnitedHealthcare subsidiary Change Health, Ascension and others demonstrating the serious consequences ransomware and other cyberattacks can inflict on health care delivery, payment, and patient privacy, OCR is placing new emphasis on tightening both the requirements for Risk Analysis and its enforcement of compliance with the Risk Analysis requirements.

Look for OCR both to continue zealously to enforce the Risk Analysis and other HIPAA Security Rule compliance and to tighten thesed requirements. On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. Prior to its announcement of the PIH settlement, OCR in recent months announced seven Risk Analysis Initiative settlements, including three in April. 

Breaches & Other Security Rule Violations Carry Substantial Liability Risks

TierCivil Penalties[1]Criminal Penalties
1Lack of Knowledge: $141 – $71,162 per violationReasonable Cause or No Knowledge of Violation: Up to 1 year imprisonment
2Reasonable Cause: $1,424 – $71,162 per violationPHI Obtained Under False Pretenses: Up to 5 years imprisonment
3Willful Neglect (corrected within 30 days): $14,232 – $71,162 per violationPHI Obtained for Personal Gain or with Malicious Intent: Up to 10 years imprisonment
4Willful Neglect (not corrected within 30 days): $71,162 – $2,134,831 per violation 

Most Regulated Entities that OCR accused of violating the HIPAA requirements avoid paying the full amount of authorized civil monetary penalties by accepting OCR settlement offers. As the $600,000 PIH and other settlements demonstrate, however, settlement with OCR allows Regulated Entities to avoid much greater potential civil monetary penalties by paying a much smaller, but still generally significant, settlement amount. As significant as these penalties and settlement costs are, they typically reflect only a small portion of the true cost organizations suffer from a breach. With the average financial consequences suffered by organizations that experience a data breach now approaching $5 million, costs of investigation and recovery from a breach and the associated operational and business disruptions experienced inflict a heavy toll even where OCR allows the health plan or other Regulated Entity to resolve its exposures with no financial settlement or penalty.

Breaches & Other Security Rule Violations Create Substantial Liability For Plans & Their Fiduciaries

While health plan breach notifications generally have lagged far behind provider notifications in number, reported health plan breaches generally have resulted the largest civil monetary penalty or resolution payments largely due to the massive number of individuals affected by these breaches. See e.g., HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations (September 11, 2023); Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and UnitedHealthcare Insurance Company (August 24, 2023);  Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches (October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual (September 23, 2020); Anthem pays OCR $16 Million in record HIPAA settlement following largest health data breach in history (October 15, 2018);  Record $16M Anthem HIPAA Settlement Signals Need To Tighten HIPAA Compliance & Risk Management

PIH Third Hacking Settlement In April

Although OCR’s PIH settlement announcement does not label the settlement as a Risk Analysis Initiative, OCR’s discussion makes clear OCR considered PIH’s failure to fulfill the Risk Analysis requirements a core failure contributing to the breach. The PIH settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020 about a June 2019 phishing attack.  The report stated the attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.

OCR’s investigation found multiple potential violations of the HIPAA Rules, including:

  • Failure to use or disclose protected health information only as permitted or required by the HIPAA Privacy Rule.
  • Failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by PIH.
  • Failure to notify affected individuals, the HHS Secretary, and the media of a breach of unsecured protected health information within 60 days of its discovery.

Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that OCR will monitor for two years and pay a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:

  • Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
  • Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
  • Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
  • Training its workforce members who have access to PHI on its HIPAA policies and procedures.

The findings of deficiencies in PIH’s risk analysis and requirements that PIH conduct an accurate and thorough risk analysis and implement a risk management plan to address and mitigate identified security risks and vulnerabilities are a recurrent theme in OCR breach investigations.   OCR’s recent addition of a Risk Analysis Initiative to its compliance and enforcement priorities heightens the significance of OCR’s inclusion of these findings and requirements in the PIH settlement.

Previous Health Plan Enforcement Actions Confirms Health Plan Face Similar HIPAA Exposures

In January 2021, for instance, OCR announced New York health insurer, Excellus Health Plan, Inc., would pay $5.1 million to settle potential HIPAA violations related to a breach affecting over 9.3 million people.  The settlement resulted from OCR’s investigation of a September 9, 2015, breach report that cyber-attackers gained unauthorized access to its information technology systems.  Excellus Health Plan reported that the breach began on or before December 23, 2013, and ended on May 11, 2015.  The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information. The resolution payment is the second largest collected by OCR to date.

In October, 2020, OCR announced a resolution agreement with Aetna Life Insurance Company and affiliated covered entity (Aetna) where Aetna paid a $1 million resolution payment to settle potential HIPAA violations that arose from Aetna’s filing of hacking related breach reports in 2017 and OCR’s September 2021 announcement of a resolution agreement where Premera Blue Cross (PBC) agreed to pay $6.85 million to OCR (the second largest in OCR history) to settle potential HIPAA violations related to a breach affecting over 10.4 million people. This resolution represents the third largest payment to resolve a HIPAA investigation in OCR history.

In each of these and all subsequent breach enforcement announcements and other guidance, OCR also persistently urges health plans and other regulated entities to perform the required documented risk assessments and take the required actions necessary to guard their ePHI from hackers and other susceptibilities.

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance  

With cyberattacks targeting health care and other Regulated Entities soaring and OCR stepping up its scrutiny of Regulated Entities’ Risk Analysis compliance in audits and enforcement actions, each health care provider and other Regulated Entity should review and tighten its Risk Analysis practices and documentation to reduce its susceptibility to potential breaches and to promote its ability to defend its compliance with the Risk Analysis requirements in the event of a breach investigation or audit.

Fulfill Current Risk Analysis Standards

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities enforce appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to keep Risk Analysis documentation for six years, and to provide Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

  • Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
  • Integrate Risk Analysis and risk management into the organization’s business processes.
  • Ensure that audit controls are in place to record and examine information system activity.
  • Implement regular reviews of information system activity.
  • Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
  • Incorporate lessons learned from incidents into the organization’s overall security management process.
  • Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
Follow Proposed Rules & Enforcement Actions To Mitigate Risks

The proposed rule published by OCR on December 27, 2024, seeks to clarify and expand the original requirements of the Risk Assessment implementation standard based on OCR’s past HIPAA Security and Breach Rule investigation and enforcement experience.  Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
    • A review of the technology asset inventory and network map;
    • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
    • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
    • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
    • A review of the technology asset inventory and network map.

Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:

  • To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
  • To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
  • To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
  • To implement written procedures for testing and revising written security incident response plans;
  • To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
  • To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
  • To encrypt ePHI at rest and in transit, with limited exceptions;
  • To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
  • Use of multi-factor authentication, with limited exceptions;
  • Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
  • Network segmentation;
  • Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
  • To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
  • Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
  • Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool.  OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time.  This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health care providers and other Regulated Entities should view Risk Analysis as an ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.  Although OCR has not officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Additional Responsibilities & Risks For Health Plan Fiduciaries & Sponsors

Along side the OCR warnings, employment and union sponsored health plans, their sponsors, insurers, business associates and fiduciaries also now face additional pressure to take appropriate steps to security health plan data and timely investigate and report breaches.

prudent steps to secure their health plans’ protected health information and electronic data systems against improper use, access, destruction or disclosure under April, 2021 Employee Benefit Security Administration (“EBSA”) guidance package that for the first time officially recognizes cybersecurity as included in the fiduciary responsibilities of employee benefit plan fiduciaries under the Employee Retirement Income Security Act (“ERISA”) and addition of cybersecurity to its plan audits. As a result, in addition to complying with HIPAA, ERISA-covered health plan fiduciaries and sponsors also should be prepared to demonstrate that plan fiduciaries have taken the steps prudently necessary to guard health and other employee benefit plan data and systems against cybersecurity threats. In light of this guidance health plan fiduciaries and sponsors generally will want to ensure that at minimum, they can demonstrate that the health plan and health plan vendor cybersecurity safeguard meet or exceed the recommendations included in the following guidance materials published by EBSA as part of this cybersecurity announcement and any other steps that are prudent to guard against cybersecurity threats:

  • Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
  • Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
  • Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

In light of this OCR and EBSA guidance, health plan sponsors, fiduciaries and vendors and other HIPAA covered entities and business associates are urged to take documented steps to audit and strengthen as needed their safeguards against hacking and other cybersecurity threats including:

  • In the case of any health plan or health plan vendor, taking well documented steps to assess and tighten as necessary their health plan systems and data security to meet or exceed the recommendation outlined in the EBSA cybersecurity guidance or otherwise necessary to prudently guard their plans and plan data and systems against cybersecurity threats.
  • Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
  • Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
  • Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
  • Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
  • Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
    violations or other indicia of potential security concerns.
  • Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
  • Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
  • Establishing and providing well-documented timely investigation and redress of reported
    violations or other compliance concerns.
  • Establishing contingency plans for responding in the event of a breach. 
  • Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
  • Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
  • Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders under state data privacy and breach, negligence or other statutory or common laws.  In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.  Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations and the Employee Benefit Security Administration recently has issued guidance recognizing prudent data security practicces as part of the fiduciary obligations of health plans and their fiduciaries.  

Appropriate Processes Can Prevent Breaches & Enhance Defensibility

With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:

  • Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
  • Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
  • Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
  • Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
  • Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
  • Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
  • Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
  • Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

Although civil monetary penalties or settlements are the most common sanction imposed for HIPAA Security and Breach Notification rule violations, willful and certain other violations of HIPAA can trigger criminal liability subject to the Federal Sentencing Guidelines. Consequently, beyond fulfilling the specific requirements of HIPAA, an adequate Risk Assessment also can be an invaluable tool for helping mitigate Federal Sentencing Guideline exposures of a Regulated Entity and its leaders under the Federal Sentencing Guidelines Organizational Liability rules.

Beyond these specific HIPAA-associated exposures, Regulated Entities and their leaders should keep in mind that HIPAA is likely only one of many laws that define their responsibilities to secure, report, and respond to breaches of ePHI or other sensitive data. Depending on the location, nature and other circumstances, Regulated Entities and their leaders also may have additional responsibilities and liability exposures under a variety of other federal and state laws, ethical or other professional standards, and contractual obligations in addition to those imposed under HIPAA and ERISA. For instance, inadequate data safeguards for ePHI also can trigger liability under the Fair and Accurate Credit Transactions Act, the Federal Trade Commission Act, and various electronic crimes statutes. The Securities and Exchange Commission rules can trigger disclosure and other obligations for publicly traded hospital or other health care providers, insurers, or their business associates. Health care providers, payers and others are likely to face specific additional health care or insurance-specific licensing and ethics rules, as well as other confidential information privacy, cybersecurity and breach reporting obligations and liability under various state statutes and regulations. Regulated Entities and their leaders generally will want to fully evaluate and manage these risks in conjunction with their compliance with the Risk Analysis and other requirements of the HIPAA Security and Breach Notification Rules.

Finally, health plans and other Regulated Entities are reminded that appropriate strategic planning, ongoing diligence in monitoring and responding to security events and susceptibility, and timely and appropriate use of appropriate evidentiary and procedural tools can critically impact the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making. Because HIPAA, EBSA and other rules typically require prompt investigation and response to known or suspected hacking or other cybersecurity threats, health plans and other covered entities or business associates should seek the assistance of experienced legal counsel to advise and assist in these activities to understand the potential availability and proper use of these and other evidentiary rules as part of the compliance planning process as well as to prepare for appropriate use in the event of a known or suspected incident to avoid unintentional compromise of these protections.

The author of this update, Cynthia Marcotte Stamer is nationally known and celebrated for her experience providing advice and representation to health care providers, health insurers, employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, third party administrators, human resources and health plan technology, and other businesses about HIPAA and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information Or Help

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer works with these and other highly regulated or data and performance reliant businesses to design, risk manage, and defend their employment and other workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee.

Additionally, more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

[1] The civil monetary penalty amounts are adjusted annually for inflation.  OCR has not yet published the 2025 inflation adjusted amounts. 

Comments Off on Another Large HIPAA Settlement Warns Health Plans & Other HIPAA Entities To Analyze & Manage Their Hacking & Other Data Susceptibilities | Corporate Compliance, Cybercrime, Cybersecurity, Data breach, Employer, Employers, ERISA, FACTA, Fiduciary Responsibility, Health Plans, HIPAA, HIPAA, Reporting & Disclosure | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

6th Risk Analysis Settlement & Other OCR Actions Warn Health Plans & Other HIPAA-Regulated Entities To Tighten Risk Analysis

April 14, 2025

The $350,000 paid by Northeast Radiology, P.C. (“NERAD”) provides the latest warning to health plans, health care providers, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) they risk costly fines and other costs for failing to maintain the up-to-date risk assessments required by the Health Insurance Portability & Accountability Act (“HIPAA”).

Following up on the five other previous Risk Analysis Initiative enforcement actions and settlements recently announced by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) and OCR’s publication of proposed rules to significantly tighten HIPAA’s Risk Analysis and other requirements, the settlement with medical imaging center NERAD sends a strong warning to health plans and other Regulated Entities to clean up and strengthen their Risk Analysis and other HIPAA Security Rule compliance.

$350,000 NERAD Risk Analysis Settlement Latest Product Of New Enforcement Initiative

The sixth Risk Analysis Initiative enforcement action announced by OCR in recent months, the NERAD settlement resolves an OCR Risk Analysis Initiative enforcement action arising from OCR’s investigation of a breach of ePHI stored on NERAD’s Picture Archiving and Communication System (“PACS”) server for storing, retrieving, managing, and accessing radiology images.

OCR initiated its investigation of NERAD after receiving a NERAD breach report about a breach of unsecured ePHI in March 2020. NERAD reported that between April 2019 and January 2020, unauthorized individuals accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.

To avoid potentially much greater HIPAA civil monetary penalties under the terms of the resolution agreement, NERAD paid OCR $350,000 and agreed to implement a corrective action plan that OCR will monitor for two years. Under the corrective action plan, NERAD will take steps to improve its compliance with the HIPAA Security Rule and protect the security of ePHI, including:

  • Conducting an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its Risk Analysis;
  • Developing and implementing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
  • Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
  • Augmenting its existing HIPAA and security training program to all of its workforce members who have access to PHI.

OCR Turns Up Heat On HIPAA Risk Analysis Requirements & Enforcement

The HIPAA Privacy, Security, and Breach Notification Rules set forth the requirements that Regulated Entities must follow to protect the privacy and security of protected health information. Since the HIPAA Security Rule first took effect, risk analysis is one of the four required implementation specifications the Security Rule requires to fulfill its Security Management Process Standard’s requirement that regulated entities “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” 

Written Risk Analysis Longstanding Requirement

Although OCR only recently formally adopted a Risk Analysis Initiative, OCR’s regulatory guidance and enforcement actions have communicated clearly the necessity for each Regulated Entity to possess and maintain an adequate documented Risk Analysis.  OCR guidance since has required Regulated Entities to conduct and document the required Risk Analysis to safeguard ePHI and avoid liability under the HIPAA Rule.  The importance of fulfillment of the Risk Analysis requirement is driven home by OCR’s recent identification of Risk Analysis inadequacies as a basis for its assessment of civil monetary penalties or required resolution payments to settle HIPAA Security Rule violations following a breach of ePHI. 

While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.  Although OCR has not adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility.

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities maintain appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to maintain their Risk Analysis documentation for six years, and to make available Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

  • Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
  • Integrate Risk Analysis and risk management into the organization’s business processes.
  • Ensure that audit controls are in place to record and examine information system activity.
  • Implement regular reviews of information system activity.
  • Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
  • Incorporate lessons learned from incidents into the organization’s overall security management process.
  • Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
OCR Heightens Risk Analysis Enforcement While Proposing Heightened Risk Analysis And Other Security Requirements

The proposed rule published by OCR on December 27, 2024 seeks to significantly broaden these original requirements of the Risk Assessment implementation standard.  Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
    • A review of the technology asset inventory and network map;
    • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
    • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
    • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
    • A review of the technology asset inventory and network map.

Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:

  • To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
  • To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
  • To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
  • To implement written procedures for testing and revising written security incident response plans;
  • To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
  • To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
  • To encrypt ePHI at rest and in transit, with limited exceptions;
  • To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
  • Use of multi-factor authentication, with limited exceptions;
  • Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
  • Network segmentation;
  • Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
  • To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
  • Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
  • Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool.  OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time.  This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.

Recommended Actions For Health Plans & Other HIPAA-Regulated Entities

With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:

  • Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
  • Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
  • Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
  • Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
  • Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
  • Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
  • Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
  • Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, nationally known and celebrated for her experience providing advice and representation on HIPAA and other risk management and compliance to employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, health care and other managed care providers and organizations, human resources and health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on 6th Risk Analysis Settlement & Other OCR Actions Warn Health Plans & Other HIPAA-Regulated Entities To Tighten Risk Analysis | Association Health Plan, Attorney-Client Privilege, church plan, Civil Monetary Penalties, compliance, Corporate Compliance, Cybercrime, Cybersecurity, Data Breach, Data Security, Employee Benefits, Employers, ERISA, GINA, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, HIPAA, HIPAA, Identity Theft, Managed Care | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

$200,000 OCR Penalty Warns Health Plans and Other HIPAA Entities To Timely Provide Records

March 7, 2025

The $200,000 civil monetary penalty [paid by Oregon Health & Science University (“OHSU”) for failing to provide requested medical records shows health plans, health care providers, and health care clearinghouses (“covered entities”) the perils of violating an individual’s Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) right to timely access. As the 53rd Department of Health and Human Services Office of Civil Rights (“OCR”) announced HIPAA right of action enforcement action, the penalty reaffirms OCR’s continued strong commitment to the enforcement of HIPAA rights of access against covered entities and demonstrates the potential high cost covered entities can face for noncompliance with these requirements.  Like the 52 prior enforcement actions, the OHSU penalty warns health plans and other covered entities to confirm their compliance to avoid incurring similar liabilities.

Thie HIPAA Privacy Rule’s ”Right of Access” provisions require covered entities give requesting individuals or their personal representatives with timely access to requested protected health information.  Generally, this means the covered entity must provide protected health information access within 30 days, with the possibility of one 30-day extension if certain requirements are met.  HIPAA also prohibits covered entities from charging more than a reasonable, cost-based fee for this record access. This requirement is in addition to any otherwise applicable duty to provide timely access to records imposed by otherwise applicable laws such as rules applicable to health plans and health insurers covered by the adverse benefit determination rules of the Patient Protection and Affordable Care Act (“ACA”) or the Employee Retirement Income Security Act of 1974 (“ERISA”) or health insurers or health care providers under applicable state medical privacy and records laws state insurance laws, and health care providers under applicable state medical practice laws The Privacy Rule also contains specific rules for determining the allowable fees, which typically are more restrictive than often concurrently applicable state laws applicable to health care providers or insurers. 

Covered entities also should recognize that covered entities violating the right of access rule face a high likelihood of enforcement by OCR. Patients and other individuals and their personal representatives typically are well informed about their access rights due to HIPAA’s notice of privacy practices and posting requirements. Since right of access violations are one of the most common complaints and OCR frequently finds violations when investigating these complaints,

The $200,000 civil monetary penalty against OHSU along with the undisclosed legal fees and other expenses it incurred in responding to the investigation and enforcement action show the HIPAA liability covered entities can incur for violating the right of assess rule. In September 2024, OCR issued a Notice of Proposed Determination seeking to impose a $200,000 civil monetary penalty. OHSU waived its right to a hearing and did not contest OCR’s imposition of a civil monetary penalty. Accordingly, in December 2024, OCR imposed the $200,000 civil monetary penalty against OHSU in a December 2024 Notice of Final Determination. The OHSU civil monetary penalty arose from OCR’s investigation of a second complaint filed by an individual’s personal representative in January 2021 from the individual’s personal representative.  The complaint was one of two OCR received on this matter. In September 2020, OCR resolved the first complaint received in May 2020 after OCR notified OHSU of its potential noncompliance with the Privacy Rule Right of Access provisions.  Although OHSU provided part of the requested records in April 2019, OHSU did not provide all of the requested records in August 2021.  This was 16 months after the first request for records in April 2019 and nearly a year after OCR previously warned OHSU about its HIPAA obligations in response to the initial complaint. Based on these findings, OCR determined OHSU violated the right of access rule by failing to take timely action in response to the right of access requests.

Along with showing the importance of overall timely compliance with the right of access rule, the OHSU civil monetary penalty also shows covered entities the importance of promptly and completely correcting any violation and their causes that results in a failure by the covered entity (including an employee or business associate responsible for responding to requests) has violated the right of access rule. OCR’s right of access rule investigation and enforcement history against covered entities, including the original complaint against OHSU, demonstrates that OCR seeks settlement with substantially smaller or even no financial payment required if the covered entity promptly and completely fixes the violation in response to OCR’s notice and technical assistance.  

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, nationally known and celebrated for her experience providing advice and representation on HIPAA and other risk management and compliance to employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, health care and other managed care providers and organizations, human resources and health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved

Comments Off on $200,000 OCR Penalty Warns Health Plans and Other HIPAA Entities To Timely Provide Records | Corporate Compliance, health Care, Health Plans, HIPAA, HIPAA, insurers | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

IRS Allows All Health Plans To Use Website To Fulfill ACA Annual Minimum Essential Coverage Statement Requirement

March 3, 2025

New Guidance Broadens Availability Of Website Alternative To All Health Plans

All health insurers and health plan administrators can now fulfill their obligation under the Patient Protection and Affordable Care Act (“ACA”) to send annual minimum essential coverage statements (“MEC Statements”) by timely posting a notice of the availability of the statements in lieu of providing the MEC statements by sending Internal Revenue Service (“IRS”) Forms 1095-B and 1095-C” to covered persons under guidance issued in IRS Notice 2025-15 on February 21, 2025.As part of the ACA minimum essential coverage mandates, Internal Revenue Code (“Code”) Section 6055 generally requires each health plan providing minimum essential coverage to any individual during a calendar year to notify the covered person named on an application who enrolls one or more individuals in the minimum essential coverage a statement that identifies each covered individual and the individual’s months of coverage. See Treas. Reg. § 1.6055–1(b)(11). While Section 6055 sets the statutory deadline to provide the MEC Notice as the January 31 immediately following the close of the plan year when the plan provides the coverage, Treasury Regulation § 1.6055-1(g)(4) provides an automatic 30-day extension of time in which to furnish these statements. As a result, covered health plans and health insurers must fulfill the annual MEC Statement requirement within 61 days of the close of the calendar year to which the MEC statement applies.

Internal Revenue Service (“IRS”) regulations generally require health plans to use Forms 1095-B and 1095-C to provide the MEC Statement to responsible individuals unless the health plan qualifies under Treasury Regulation § 1.6055-1(g)(4)(ii)(B) to provide the statement in the “alternative manner” of a qualifying website posting described in that Regulation.

Before February 21, 2025, Treasury Regulation § 1.6055-1(g)(4)(ii)(B) only allowed health plans to use the website posting alternative to fulfill their MEC Statement obligations if the individual shared responsibility payment amount under Code section 5000A(c) for the calendar year in which minimum essential coverage is provided is zero. Under IRS Notice 2025-15, however, all health plans and health insurers are permitted to use the alternative manner of a website posting to fulfill the MEC Statement mandate for all post-2023 plan years including the 2024 calendar notices without regard to the amount of the individual shared responsibility payment.

Health plans and health insurers wishing to use the to use the “alternative manner” of a website posting in lieu of Forms 1095-B and 1095-C to fulfill the MEC Statement requirement for 2024 or a subsequent calendar year must post in a location reasonably accessible to all responsible individuals a clear and conspicuous notice stating that responsible individuals may receive a copy of their statement upon request. Additionally, if an individual requests a statement, the health plan must deliver the requested statement within 30 days of the date the health plan receives the request.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, with decades of experience advising employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, managed care organizations, health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on IRS Allows All Health Plans To Use Website To Fulfill ACA Annual Minimum Essential Coverage Statement Requirement | ACA, Affordable Care Act, Corporate Compliance, employee, Employee Benefits, Employer, Employers, ERISA, Health Benefits, health insurance, health insurance marketplace, health plan, Health Plans, Premium Subsidies, Reporting & Disclosure | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Stamer To Discuss Emerging Health and Disability Litigation Trends To Watch In January 17 Virtual Welfare Benefit Plan Update

January 14, 2025

Solutions Law Press publisher and attorney Cynthia Marcotte Stamer will discuss tobacco cessation class actions, health plan PBM, excessive fee, antitrust and other selected emerging health and disability plan litigation trends to watch in 2025 as part of the Welfare Plan Update at the American Bar Association Real Property, Probate and Trust Section Employee Plans and Executive Compensation Group will host during its free committee call on January 17, 2025, at 11:30 AM Central Time.

Along with Ms. Stamer’s comments, the Update also will include updates on the mental health partiy final rules and implications of the January 1, 2025 expiration of high deductible health plan telemedicine relief by her fellow Welfare Benefit Committee Co-Chair Jacquelyn M. Abbott and Committee Vice Chair Julia Mader.

Members interested in the meeting are invited to use the following Zoom credentials to connect to the meeting:

Join Zoom Meeting Link:  https://americanbar.zoom.us/j/93409339280?pwd=aQcwUtePdkKni1943AJ4UjIaac6F5v.1

Meeting ID: 934 0933 9280, Passcode: 602434

One tap mobile

+13092053325,,93409339280# US

+13126266799,,93409339280# US (Chicago)

About Cynthia Marcotte Stamer

Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Stamer is recognized for her decades of work on leading edge employee benefits, employment, health care and insurance concerns with recognition as a Martindale Hubble “Top Rated Lawyer” and “Legal Leader” in Health Care and Labor and Employment Law; as among the D Magazine “Best Lawyers In Dallas” in Labor & Employment, Tax: ERISA & Employee Benefits,  Health Care and Business and Commercial Law.

Stamer has more than 35 years of experience guiding employers, health and other employee benefit and insurance programs and their fiduciaries, managed care, TPAs, PBMs, health care clearinghouses and their service providers; and other managed care and other health and health plan industry clients on program, product, systems and process design, administration, and defense; government and regulatory investigations and affairs; HIPAA and other data and systems privacy, cybersecurity and other integrity; workforce and other service provider credentialing, contracting, and management; government and private investigations, disputes, audits and enforcement; and other compliance, risk management and operations concerns in a wide range of contexts. Her work, and the interests of her clients are enhanced by her continuous involvement in federal and state legislative advocacy, regulatory affairs and government relations on these and other related concerns throughout her career.

In the course of this work, Stamer frequently advises and represents and defends health and other employee benefit plans, their fiduciaries, third party administrators, brokers, insurers, trustees and other plan service providers, debtor plan sponsors and their leaders, auditors, creditors and creditor committees, bankruptcy trustees, on prevention and mitigation of claims, fiduciary, licensing, prompt pay and other contractual, regulatory and other risks and liabilities arising from underfunded or distressed companies and employee benefit plans.  She also advises employers, their boards, investors and management, third party administrators, preferred provider organizations, insurers and other plan service providers and others in fiduciary, claims and other audits, investigations and enforcement actions by private litigants, the Department of Labor, Department of Health & Human Services, Internal Revenue Service, Department of Justice, Federal Trade Commission, state insurance, attorneys’ general or other regulator, contractual arising out of workforce and staffing, employee benefit and insurance practices and programs in ongoing operations, corporate or credit transactions, bankruptcy or other situations and serves as special or consulting counsel for bankruptcy and other human resources, benefits, insurance, health care and regulatory compliance and investigation concerns. Stamer also counsels, represents and defends third party administrators, preferred provider and other managed care organizations, brokers and other regulated parties in state insurance and other regulators notice and reporting, investigations, audits, discipline and other enforcement actions.

Past Chair of the ABA RPTE Employee Benefit and Other Compensation Group, the Health Law Section Managed Care and Insurance Interest Group, and the Tort Trial and Insurance Section Medicine and Law Committee, Stamer also contributes her experience and knowledge by serving as Scribe for the American Bar Association (“ABA) Joint Committee on Employee Benefits (“JCEB”) annual agency meeting with the Department of Health and Human Services as well as a leader of employee benefits, human resources, health as an industry thought leader, Stamer also publishes and speaks extensively on health and other employee benefits, compensation, workforce, health care and related regulatory compliance and risk management matters.Her insights on these and other matters appear in publications of the American Bar Association, Bloomberg/BNA, Modern Healthcare, Aging In Place, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Stamer, her speaking, legal, consulting and other experience and services, or to access other publications by Stamer see CynthiaStamer.com or contact Stamer directly via e-mail or telephone (214) 452-8287.

For more details about the Real Property Probate and Trust Section Employee Benefits and Other Compensation Committee or other employee benefits related committees and activities of the American Bar Association, see the American Bar Association website here.

To receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here and connect with Stamer on Linkedin. For important information concerning this communication click here.  If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2025 Cynthia Marcotte Stamer, P.C. Non-exclusive limited license to republish granted to Solutions Law Press, Inc.

Comments Off on Stamer To Discuss Emerging Health and Disability Litigation Trends To Watch In January 17 Virtual Welfare Benefit Plan Update | ACA, Claims Administration, Corporate Compliance, Disability, Disability Plans, EBSA, employee, Employee Benefits, Employer, Employers, ERISA, Fiduciary Responsibility, Fringe Benefits, health benefit, Health Benefits, health Care, health insurance, Health Plans, Managed Care | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

HHS Grants Limited Southern California Fire Limited Disaster Relief

January 10, 2025

Health plans and insurers, health care providers and other Southern California organizations impacted by the California fires may qualify for temporary waivers or modification of certain Department of Health and Human Services (“HHS”) regulatory requirements under the Declarations of a Public Health Emergency (“PHE”) published by HHS today.

The relief provided by the PHE includes:

An extensive list of resources and guidance to help health plans, health care providers and others to understand and cope with HHS requirements in disaster or other emergency situations such as:

Health plans and other regulated entities impacted by the fire or other disasters should carefully review this guidance to understand the scope and availability of the current relief. Additionally, health plans, health care providers, business associates and other HHS-regulated entities and providers not currently impacted by today’s or another public health emergency declaration should use this guidance to plan and adopt policies and arrangements in advance of a disaster to provide for their continued ability to fulfill HHS regulatory obligations in the event of an emergency.

Health plans and other HHS-regulated entities should keep in mind the limited duration and scope of the relief provided by this PHE or any other HHS public health emergency declaration. Entities planning to rely on the PHE relief must review the scope, conditions and duration requirements and ensure their ability to defend their continued compliance taking into account these limited waivers and modifications.

Also the PHE guidance documents are not a final agency action, do not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department’s discretion. Noncompliance with any voluntary standards (e.g., recommended practices) contained in these documents will not, in itself, result in any enforcement action.

Furthermore, health plans and other HHS regulated entities typically face a myriad of responsibilities beyond those imposed by the HHS. Health plans and other regulated entities should check other agencies disaster declaration webpages to determine whether the agency has issued any specific relief impacting their emergency in response to the broader disaster declaration issued by the Administration. Except to the extent covered by other declared disaster relief, coverage by or compliance with the HHS PHE guidance and policies does not insulate the health plan from potential liability for violating the requirements of the Employee Retirement Income Security Act or other laws creating responsibilities to plan members, providers, the Employee Benefit Security Administration or other agencies or parties other than HHS with respect to the HHS regulatory obligations for which the specific relief is provided in the PHE declaration. Accordingly, health plans, their fiduciaries, plan sponsors and service providers are urged to take necessary steps before, during and after any disaster to position themselves to demonstrate fulfillment of duties of prudence and other applicable responsibilities.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers, health plans and insurers, third party administrators, managed care and other health care payers and providers, technology, and other businesses about crisis preparedness and response and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications including leading-edge work on crisis preparedness, response and recovery.

Author of many highly regarded compliance and risk management tools, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on HHS Grants Limited Southern California Fire Limited Disaster Relief | Corporate Compliance, Employer, Employers, health benefit, Health Benefits, health Care, Health Care Fraud, health insurance, health insurance marketplace, Health Plans, HIPAA, HR, Human Resources | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

2025 Surprise Billing Fees Unchanged But Clear Cache Weekly To Stay Updated

December 27, 2024

2025 surprise billing independent dispute resolution fees applicable to health plans, health insurers and health care providers will remain are holding steady.

On December 27, 2024, the Department of Health and Human Services (“HHS”), the Department of Labor (“DOL”), and the Department of the Treasury (collectively, the “Departments”) updated the No Surprises Act (NSA) website to reflect updated certified IDR entity fees in accordance with the Federal Independent Dispute Resolution (IDR) Process Administrative Fee and Certified IDR Entity Fee Ranges Final Rule (IDR Fees Final Rule).

The IDR Fees Final Rule, effective as of January 22, 2024, set forth the 2024 IDR entity fee ranges. The Departments announced these fees will remain unchanged for 2025.

The 2025 IDR entity fees now published on the NSA website are effective for disputes initiated on or after January 1, 2025. For these disputes, the administrative fee amount is $115 per party per dispute, and the certified IDR entity fee ranges are $200-$840 for single determinations and $268-$1,173 for batched determinations. The website now includes information on the fee set by each certified IDR entity within these ranges.

Along with confirming the 2025 fees, the Departments caution plans and providers to monitor the website for updates to the IDR web form to accommodate guidance-related and system enhancements. The Departments ask plans and providers who have initiated an IDR dispute previously, to clear their computer’s cache or open the IDR initiation web form in a private or incognito window at least once a week to see all the new features. The Departments warn to clear the cache or open this form in private/incognito mode could result in additional follow-up with certified IDR entities or system errors.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health plans and insurers, third party administrators, managed care and other health care payers and providers with surprise billing and other claims, payment and other design, administration, regulatory and other enforcement, dispute resolution, compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with businesses domestically and internationally on employment, benefits, Federal Sentencing Guidelines and other workforce management, regulatory and public policy and other legal and operational concerns.  

Author of many highly regarded compliance, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on 2025 Surprise Billing Fees Unchanged But Clear Cache Weekly To Stay Updated | Claims, Claims Administration, compliance, Consumer Protection, Direct Primary Care, Employee Benefits, Employer, Employers, ERISA, Fiduciary Responsibility, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, health insurance, health insurance marketplace, health plan, Health Plans, Human Resources, Managed Care, Surprise Billing, Tax, Technology | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

Workforce Strategies For Avoiding Holiday Liability Hangovers

November 27, 2024

With this week’s Thanksgiving celebrations kicking off the 2024 year-end holiday festivities, wise businesses will proactively act to reduce the risk that their business will start 2025 with a post-holiday workforce liability hangover. 

Responsibly managed, company-sponsored and other social celebrations and activities can promote team building, morale, goodwill and other rewards.  However, holiday celebrations, staffing disruptions, behaviors and their fallout also can often create attendance, discipline, compliance, safety and other legal and operational responsibilities, risks and costs. Wise business leaders act proactively to mitigate these risks as the nation enters holiday season begins.

Health & Safety

Gatherings, food, game playing, toasting with alcohol, travel and other aspects of company-sponsored and off-duty celebrations can enhance usual or create new accident and illness risks. Holiday socialization, presentism, distractions, staffing disruptions, operational changes and other factors can increase illness and accident risks. Injuries and illnesses suffered on or off the job can create added occupational health and safety and worker’s compensation responsibilities, costs and liabilities, disrupt staffing and productivity, and fuel health care, medical leave, disability, worker’s compensation and other responsibilities and expenses long after the holiday season ends. To help workers enjoy the Holidays safely and avoid these business costs and disruptions, businesses should confirm that their occupational health, safety and injury policies, practices, and staffing fulfill applicable occupational health and safety and workplace accident and injury laws, as well as consider encouraging workers to follow good health and safety practices on and off the job throughout the holiday season. 

Employers generally have a duty of care under the Occupational Safety and Health Act (“OSH Act”) and other occupational health and safety laws to provide a safe work environment.  The OSH Act requires businesses to recognize and take appropriate steps to keep their workplaces safe. The OSH Act, worker’s compensation, leave and other laws. OSH Act and other workplace safety laws generally require employers to promptly report and investigate workplace accidents and injuries, ensure workers receive timely treatment, and trigger occupational injury and other leave and other duties.

Workplace injuries resulting from unsafe workplace conditions generally trigger expensive penalties and damages, in addition to worker’s compensation or other occupational injury coverage liabilities.  The holiday season often exacerbates or adds to the ongoing challenges employers face in maintaining workplace safety and responding to workplace injuries and accidents. Some common sources of additional risks associated with the holiday season include decreased oversight from management holiday absences, heightened worker fatigue and distraction, demand-driven, vacation or illness-related understaffing, expanded use of temporary or contract staffing, and holiday season-associated intoxication.  See Holiday Workplace Safety.  OSHA offers various recommendations to aid employers in recognizing and managing heightened workplace safety risks during the holiday season.  Keeping Workers Safe This Holiday Season.  To mitigate their risks from workplace injuries and accidents caused by safety violations and associated violations of investigation, reporting, benefit and other requirements, business leaders should ensure that their organizations identify and manage these additional risks, as well as ensure appropriate staffing and other arrangements are in place to ensure timely response, investigation and reporting of any workplace accidents or injuries during the holiday season.

With outbreaks of the flu, respiratory illnesses and other communicable or infectious diseases that spread from person to person common during the holidays, and holiday gatherings heightening the potential for transmission of the flu or other contagious diseases, businesses also should consider their responsibilities under the OSH Act or other laws to manage contagious disease exposures and spread.  For instance, health care and certain other industries may be subject to laws or regulations that impose specific requirements for preventing and responding to contagious diseases, many of which may have been added or changed since the COVID-19 pandemic.  Businesses should verify their policies meet or exceed current federal, state, local and contractual requirements as well as are designed to meet their business’ need to manage other contagious disease costs, absences and other disruptions.

Whether or not a business is subject to specific contagious disease management mandates, all businesses generally will benefit from reviewing and communicating their existing contagious disease and related leave and other workforce policies to workers and management to help protect their operations against the costs, operational disruptions and liabilities that often result from contagious disease outbreaks within their workplace. To enhance efforts to deter worker injuries and illnesses, businesses should consider using free resources like the Centers for Disease Control’s Healthy Habits to Prevent Flu and 8 Tips for a Safe and Healthy Holiday Season flyers, workplace posters, payroll stuffers and other communications to remind workers and their families to follow best safety and contagious disease prevention practices during the holidays.

Along with encouraging workers to stay healthy and safe during the Holidays, businesses should also consider providing documented reminders and take other steps to encourage workers to provide timely notice of illnesses and injuries and verify appropriate management coverage and arrangements to ensure that management team absences don’t disrupt the business’ timely delivery of Family and Medical Leave Act, occupational injury and other notifications, coverage for absences, provision of benefits, and other performance of other responsibilities in response to injury and illness reports despite holiday associated absences or hours of operation impacting the employing business or its responsible vendors.

Businesses also should verify their workplace safety, contagious disease and leave policies are designed and administered to prevent and mitigate exposure for unlawful OSH Act and worker’s compensation retaliation, disability discrimination against legally protected employees with chronic or other disabilities under the Americans with Disabilities Act (“ADA”), denial of leave or other violations of the Family and Medical Leave Act leave, notice and other requirements; and ADA and other privacy and confidentiality laws.

Alcohol & Other Conscious Altering Substance Consumption

The increased prevalence of holiday season celebrations and vacations often fuels an increase in consumption of alcohol, marijuana, and other consciousness-altering substances. This consumption can fuel a host of risks and headaches for businesses. Businesses concerned about these risks should act proactively to mitigate these risks.

When addressing business-related alcohol consumption, many businesses will want to consider not only alcohol and other conscious altering consumption at business-related events as well as potential costs that may arise from off-duty excess alcohol consumption. Whether resulting from on or off-duty consumption, excess alcohol, marijuana or other conscious altering consumption, whether on or off duty, can undermine productivity, create attendance and discipline issues, and fuel a host of other risks even when it does not result in a specific accident or injury.

Impaired judgment from alcohol or other intoxication in the workplace or at other events often fuels or contributes to employees or others exhibiting or subjecting employees to inappropriate sexual advances or other discriminatory statements, violent behavior, suicidal behavior or other problematic conduct requiring workplace investigations and discipline.

Most businesses also recognize that accidents caused by alcohol or other intoxication at work or work-related functions create substantial liability exposures for the company under the OSH Act and other occupational safety laws, as well as to workers and any third parties injured by a drunken employee, business associate, client or guest.   

Businesses risk “dram shop” or other claims or other liability if employees or guests impaired by alcohol or other substances consumed at company-sponsored or associated events or operating company vehicles or equipment injure others.

Beyond this third-party liability, businesses also may incur significant worker’s compensation, health or disability benefit-related benefit costs if an employee is injured or injures another worker in an alcohol-related accident.   

The potential headaches are even greater where the business is a health care, education, automobile sales, trucking and other transportation, or another business subject to or that has voluntarily adopted specific drug and alcohol-free, drug and alcohol testing and other related regulatory or contractual requirements. Businesses subject to these requirements should ensure appropriate arrangements for timely drug and alcohol testing, reporting, and other compliance with these requirements during the holiday season to avoid regulatory or contractual penalties for noncompliance. Companies administering substance abuse testing must comply with applicable mandates while also ensuring that their processes incorporate appropriate protocols to comply with disability discrimination, accommodation and confidentiality requirements of the Americans With Disabilities Act (“ADA”). See, e.g., ADA May Require Employers To Accommodate Employees Testing Positive For Legally Prescribed Medications

 Also, because workers engaged in these industries generally risk loss of licensure, certification or other credentials required to perform their jobs for engaging in or failing to report certain alcohol or substance-related offenses or conduct, even off-duty consumption can create staffing headaches for an employer if a worker becomes temporarily or permanently disqualified to work as a result of a substance-related infraction. Consequently, businesses in industries affected by these heightened requirements have a heightened interest in educating and reminding workers to behave legally and responsibly when deciding if and when to consume alcohol or other conscious-altering substances.

Accordingly, virtually all businesses can benefit from encouraging employees to be responsible when consuming alcohol in both business and non-business functions and in planning and hosting holiday functions. 

Businesses that serve alcohol at company functions or anticipate that employees will attend other business functions where alcohol will be served need to consider the potential liability risks that may result if the alcohol-impaired judgment of an employee or other guest causes him to injure himself or someone else.  A company anticipates an employee or guest might consume alcohol at a company-sponsored or another business event and should adopt and enforce clear policies to prohibit and prevent individuals from over-imbibing and from driving under the influence.  Many businesses also find it beneficial to suggest, require or offer at company expense alternate transportation for employees to use when leaving a company or business-related event where the employee consumed alcohol. 

Businesses concerned with these liability exposures should take steps to manage the potential risks that commonly arise when employees, clients or other guests consume alcohol at company-sponsored events or while attending other business-associated festivities. To minimize these risks at company-sponsored events, many companies elect not to serve or limit alcohol consumed by workers and served to guests at company sponsored events and other business functions.

To help prevent intoxication from fueling inappropriate behavior at company celebrations where alcohol might be consumed or present, businesses, at a minimum, should remind employees that company policies prohibiting intoxication apply to company-sponsored social and business events.  Some practical tips for hosting safe holiday gatherings include:

  • Management and other leaders should communicate expectations and set a good example.
  • Reduce opportunities for intoxication by prohibiting or restricting and monitoring the amount of alcohol available and served.
  • Offer a plentiful supply of a variety of nonalcoholic drinks—water, juices, sparkling sodas. Nonalcoholic drinks provide guests with alternatives to alcohol.  They also may help counteract the dehydrating effects of alcohol, slow the rate of alcohol absorption into the body and may reduce the peak alcohol concentration in the blood.
  • Provide a variety of healthy foods and snacks. Food consumption can slow the absorption of alcohol and reduce the peak level of alcohol in the body by about one-third. Food can also minimize stomach irritation and gastrointestinal distress the following day.
  • Encourage guests to help keep each other safe by monitoring and assign a team to monitor attendees for potential overconsumption or other signs of intoxication.  With appropriate pre-consumption notification to attendees, some businesses even require or encourage attendees consuming alcohol to take a breathalyzer test before departure to minimize the risk that an intoxicated guest will be arrested or involved in an accident after departing the party.
  • Help your guests get home safely by arranging reliable transportation by using designated drivers and taxis. Anyone getting behind the wheel of a car should not have ingested any alcohol.

Because holiday-associated alcohol consumption and other stresses also tend to fuel increased depression, domestic violence and other stress-associated behaviors, many businesses also find it beneficial to redistribute information about employee assistance programs (EAPs).

Businesses also may want to review the adequacy of existing health, disability, accident and dismemberment, group legal services and other benefit programs, liability insurance coverage and employment policies to protect and promote the company’s risk management and workforce coverage objectives.  Businesses can experience unfortunate surprises if they don’t anticipate the implications of these provisions on their employment policies, leave and benefit, safety and other workplace programs and liability insurance and indemnification obligations and costs. Maintaining and reminding workers about policies regarding alcohol consumption or intoxication, accident and traffic offense notifications, privacy waivers, or other policies enhancing accident investigation and response, or other strategic policies can help deter and facilitate investigation and response to on and off-duty accidents or other risk-creating events. 

Many employee assistance (“EAP”) health and disability programs incorporate special provisions affecting injuries arising from inappropriate alcohol use as well as offer coverage and benefits to aid employees and family members affected by mental health or substance abuse-related conditions. Changes in regulatory mandates and expanded enforcement of federal group health plan mental health and substance abuse coverage mandates make it important to ensure that employment-based health coverage complies with these requirements. Similarly, many businesses increasingly qualify for preferential rates or discounts on liability policies based upon representations that the business has in effect certain alcohol and drug use or other risk management policies and practices.  Reviewing these policies now to become familiar with any of these requirements and conditions can also be invaluable in helping a business respond effectively if an employee or guest is injured in an alcohol-related accident.

Discrimination & Harassment Liability Risks

Businesses should also manage exposures to religious, sex and other discrimination risks linked with the holiday season.   

Businesses should critically review their scheduling and other holiday season plans and practices for potential prohibited discrimination or other insensitivity. Businesses should use care to handle carefully requests for religious-based scheduling changes, particularly in light of changes in judicial precedent and regulations in recent years.  Leave policies should disclose policies for scheduling and holiday leave clearly and include appropriate, updated policies and procedures for requesting religious accommodation.  Companies also should consider seeking advice from legal counsel before denying a faith-based request for a schedule change in light of the latest guidance or recent court decisions precedent.

Business-sponsored or connected holiday or year-end parties, communications, gifts, and other December festivities and observances should be designed to reflect appropriate sensitivity to sexual harassment and religious and other cultural diversity risks.  Businesses should exhibit sensitivity and alert their workforce to their expectation that members of their workplace exhibit respect and sensitivity to differences in religious practices and observances among their employees, business associates and friends. Management and other workers should use care to plan social gatherings to be inclusive and to accommodate differences in cultural, religious and other differences. Businesses also should be sensitive to the potential that workers of alternative faiths may feel discriminated against if holiday observances focus unduly on a particular religion to exclude their faith.  Businesses also should use care to manage other discrimination exposures in the planning of holiday festivities, gift exchanges, and other activities. Businesses also should be vigilant in watching for signs of inappropriate patterns of discrimination in the selection of employees invited to participate in company-connected social events and off-duty holiday gatherings sponsored by managers and supervisors.

A good starting point is reminding employees, business partners and customers that the company expects employees, business partners and other guests to adhere to company rules against sexual harassment, religious and cultural and other inappropriate discrimination at company-sponsored and other gatherings involving other employees or business associates. Businesses also should remind employees that the company does not expect or require that employees submit to unwelcome sexual, religious, or other inappropriate harassment or discrimination when participating in parties or other social engagements with fellow employees, customers or other business partners and of the procedures to follow to report any concerning events.  Even a simple e-mail reminder to employees that the company expects them to be familiar with and comply with these policies and can help promote compliance and provide helpful evidence if an employee or other celebrant steps over the line.

To enhance the effectiveness of these reminders, a business should consider adopting and sharing specific guidance to educate workers about its policies, including examples to illustrate company-sponsored and other off-duty holiday-associated activities of particular concern. 

Businesses also should recognize that whether or not company-sponsored, the fraternization inherent in holiday parties and other celebrations where employees celebrate with other employees, clients, suppliers or other business associates can lower inhibitions and obscure the line between appropriate and inappropriate social and business behavior. With or without alcohol, some employees, clients or business associates may misinterpret the festive social atmosphere of holiday celebrations.  Some employees, clients or business associates make unwelcome sexual advances, make sexually suggestive or other inappropriate statements, or engage in other actions that expose the business to sexual harassment or other employment discrimination, harassment or retaliation liability. To help deter inappropriate or risky conduct, businesses should consider providing reminders that company prohibitions and rules about sexual harassment, discrimination, fraternization and other inappropriate conduct remain in effect during the holiday season, including when planning or attending holiday celebrations or other events hosted by the business, business partners and clients, and even private management sponsored events and observances.

Gift Giving, Gratuities & Social Entertainment

The exchange of social invitations, gifts and gratuities during the holiday season or at other times throughout the year also can raise various concerns. Businesses should adopt and communicate clear policies and procedures governing both giving and receiving social invitations, gifts, and other benefits.  Businesses should review applicable governmental regulations, contractual requirements, and customer and vendor policies for requirements that could impact the offering, receipt, reporting or other handling of gifts, social invitations or other activities. Businesses also should design policies to ensure that they collect and retain sufficient documentation from employees, officers, consultants, customers, and vendors to monitor compliance and other legal and operational risks associated with social entertainment, gifts, and other similar benefits, to report tax deductions and income arising from these activities appropriately, and to meet other compliance obligations. Businesses should review and update current business policies affecting social entertainment, gifting and other similar activities for opportunities to promote compliance and mitigate risks.

As with other holiday observances, all gifts, gratuities and social entertainment must adhere to applicable laws, regulations and company policies regarding bribery, conflict of interest or other inappropriate inducements or rewards. Companies should implement and enforce appropriate policies for the offering and provision of and recordkeeping and reporting of these perks.

Gifts, gratuities and entertainment practices also must not discriminate inappropriately based on sex, religion or other protected status and must reflect appropriate sensitivity to potential religious, sex, race, or other protected status. A business that anticipates workplace or work-connected private festivities might include white elephant or other gift exchanges may wish to specifically include a reminder to exercise care to avoid selecting a gift that may be sexually suggestive, insensitive to religious, cultural or other differences or otherwise offensive.   

Businesses also should confirm that all applicable tax implications arising from the giving or receiving of gifts are appropriately characterized, documented and reported in accordance with applicable tax, referral, conflict of interest and other requirements.

In addition to ensuring proper tax documentation and reporting, businesses also need to ensure and retain documentation of the propriety of invitations, gifts and other benefits.  Social entertainment and gift-giving activities intended to show appreciation or support marketing efforts can create significant legal or relationship risks if not properly tailored to avoid regulatory or contractual prohibitions or appearances of impropriety.  Government contractors, government officials, health care providers, nonprofits, public companies and an amazingly broad range of other entities often must comply with specific statutory, regulatory, contractual or ethical requirements affecting the giving or receiving of invitations, gifts or other preferences.  An ill-conceived social invitation, gift, or other benefit that violates these restrictions may expose both givers and recipients to legal prosecution, program disqualification and other serious legal risks. 

In addition to these externally imposed legal mandates, many businesses have established their own conflict of interest, social entertainment, gift giving or other policies to minimize the risk that employee loyalty or judgment will be comprised by gifts offered or received from business partners or other outsiders.  Employees, officers and contractors of businesses maintaining these policies may face termination or other significant discipline for violating these requirements.  Accordingly, businesses offering social invitations, gifts and other benefits to valued vendor or customer relationships risk must be sensitive to these organizationally imposed requirements. 

Timekeeping, Performance, Attendance & Time Off

Businesses also commonly face a range of year-end timekeeping, attendance and time off, pay, compensation and productivity concerns.  The winter cold and flu season and other post-celebration illnesses, vacations, and winter weather inevitably combine to fuel a rise in absenteeism and competing requests for time off during the holiday season.  Improperly designed or out-of-date timekeeping and reporting, leave and attendance, investigations, privacy and other workplace policies can exacerbate management of these challenges and their costs. Further complications can arise when dealing with employees suspected of mischaracterizing the reason for their absence or otherwise gaming the company’s time off policies. Meanwhile, performance and productivity concerns also become more prevalent as workers allow holiday shopping, personal holiday preparations, and other personal distractions to distract their performance. 

Managing staffing needs and tracking and administering timekeeping, overtime and other pay, paid and unpaid time off and other attendance, compensation and absence administration while maintaining compliance with legally protected or other legitimate requests for excused time off by employees can present major headaches for businesses and their management.  Recent changes in federal, state and local paid and other protected leave mandates add additional traps for the unprepared. Businesses concerned with these challenges ideally will review their policies and practices to ensure their organizations have in place well-designed policies and practices concerning timekeeping, overtime and other pay, attendance and time off, productivity and performance that comply with the Fair Labor Standards Act and other compensation, timekeeping, leave, reporting, investigations, privacy and other federal, state and local laws. Businesses should exercise care when addressing productivity and attendance concerns to investigate and document their investigation before imposing discipline. Businesses also should ensure that their policies are appropriately and even-handedly administered.  They also should exercise care to follow company policies, to maintain time records for non-exempt workers, to avoid inappropriately docking exempt worker pay, and to provide all required notifications and other legally mandated rights to employees taking medical, military or other legally protected leaves. In the event it becomes necessary to terminate an employee during December, careful documentation can help the business to defend this decision.  The increasing prevalence of worker classification challenges by federal and state agencies and plaintiff’s attorneys also makes it important for businesses to take steps to require and preserve access to documentation be able to demonstrate compliance with these and other applicable legal obligations by staffing and other contract labor suppliers.

Timely Investigation, Notification & Reporting

Businesses faced with allegations of discrimination, sexual harassment or other misconduct or potential business liabilities arising during holiday seasons should also take steps to ensure that appropriate staffing and other arrangements to ensure their organization’s ability to promptly investigate, if necessary, take appropriate corrective action to address complaints or other concerns arising during the holiday season around management or other time off. 

Delay in investigation or redress of accidents, discrimination or other concerns can increase the liability exposure of a business presented with a valid complaint and complicate the ability to defend charges that may arise against the business.  Additionally, delay also increases the likelihood that a complaining party will seek the assistance of governmental officials, plaintiff’s lawyers or others outside the corporation in the redress of his concern.

If a report of an accident, act of discrimination or sexual harassment or other liability related event arises, businesses should take steps to ensure that management responsible for responding to these and other occurrences are property trained or otherwise supported to carry out these responsibilities in an appropriate, defensible manner as well as to provide timely notification as needed to any government entities, contract partners, insurers, agencies or other parties.  Injuries occurring at company related functions often qualify as occupational injuries subject to worker’s compensation and occupational safety laws.  Data breaches and various other events may trigger notification or other disclosure obligations to meet statutory, contractual or other requirements.  Likewise, automobile, cyber, employment practices and other liability policies often require covered parties to notify the carrier promptly upon receipt of notice of an event or claim that may give rise to coverage, even though the carrier at that time may not be obligated to tender a defense or coverage at that time.  Ensuring appropriate, timely response can play a critical role in promoting defensibility, mitigating liability or preserving coverage or indemnification rights.

For Help With Investigations, Policy Updates Or Other Needs

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance-related concerns, please contact management attorney and consultant Cynthia Marcotte Stamer.

An attorney Board-Certified in Labor and Employment Law by the Texas Board of Legal Specialization, Ms. Stamer’s work focuses on helping management manage performance, legal compliance and operational risks.

For more than 35 years, Ms. Stamer’s work has advised businesses and business leaders about enhancing the effectiveness and defensibility of their operations using employment and other workforce and services management, employee benefits, compensation, performance management, contracting, Federal Sentencing Guideline and other compliance and risk management, investigations, and other legal and operational tools and solutions.  While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others with compliance with federal and state equal employment, compensation, health and other employee benefits, workplace safety, leave, and other labor and employment, privacy and data security, and other laws, advises and defends businesses against labor and employment, employee benefit, compensation, fraud and other regulatory compliance and IRS, Department of Labor, Department of Justice, SEC,  Federal Trade Commission, HUD, HHS, DOD, Departments of Insurance, Department of Health, Department of Agriculture and other federal and state regulators.

Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters.

Her work, thought leadership and scholarship on helping organizations manage people, operations and risk have earned her recognition as a Fellow in the American College of Employee Benefit Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law.”

For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources like:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication, click here.  If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

NOTICE:  These materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice, a substitute for legal advice, an offer or commitment to provide legal advice or an admission. The information and statements in these materials may not address all relevant issues or apply to any particular situation or circumstances.  The author reserves the right to qualify or retract any of these statements at any time. and does not necessarily address all relevant issues. Because the law evolves, subsequent developments could impact the currency and completeness of this discussion. The author disclaims and has no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers are urged to engage competent legal counsel for consultation and representation at any time, considering the specific facts and circumstances presented in their unique circumstances. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from using this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.  Circular 230 Compliance. The following disclaimer is included to comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2024 Cynthia Marcotte Stamer.  All rights reserved.

Comments Off on Workforce Strategies For Avoiding Holiday Liability Hangovers | ADA, Civil Rights, compliance, Corporate Compliance, directors, Disability, Disability Discrimination, Disability Leave, Disability Plans, Discrimination, Drug & Alcohol, Drug Testign, Drug Testing, EEOC, Emergency, Employer, Employers, Employment, Employment Discrimination, Employment Policies, enforcement, family leave, FLSA, FMLA, FMLA, Fringe Benefits, health benefit, Health Benefits, Health Plans, HR, Human Resources, Leave, medical leave, Overtime, religious accommodation, Religous Discrimination, Risk Management, Safety, Sex Discrimination, Sexual Harassment, Worker, Workers' Compensation, workfirce, Workforce, workplace violence | Tagged: , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

$100,000 Penalty Warning To Fulfill HIPAA Access Requirements

November 21, 2024

The $100,000 penalty paid by a mental health facility alerts health plans, health care providers and health care clearinghouses (“covered entities”) to the perils of failing to timely deliver health records access as required by the Health Insurance Portability and Accountability Act (“HIPAA”).

The $100,000 civil monetary penalty against California mental health provider Rio Hondo Community Mental Health Center (“Rio Hondo”) announced by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) on October 19, 202 is the fifty-first OCR enforcement action under its HIPAA Right of Access enforcement initiative.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules’ right of access provisions generally require covered entities to provide individuals access to their protected health information within 30 days, with the possibility of one 30-day extension and prohibits charging more than a reasonable, cost-based fee for this access.

The penalty against Rio Hondo resolves an OCR investigation into Rio Hondo over a failure to provide a patient with timely access to their medical records. OCR enforces the right of access and other requirements of the HIPAA Privacy Rule.

OCR launched an investigation after receiving a complaint from a patient that Rio Hondo did not provide timely access to their medical records, despite multiple requests in writing and by telephone. 

OCR’s investigation found that it took nearly seven months from the time the patient first requested the records until Rio Hondo provided them.

The patient made multiple telephone calls in July and August 2020, regarding the status of her request, but still did not receive the requested records until it produced the records in response to the investigation.

The late delivery of the records access did not end the enforcement action. Based on the facts, OCR found that Rio Hondo failed to take timely action in response to the patient’s right of access in accordance with the HIPAA Privacy Rule. 

In July 2024, OCR issued a Notice of Proposed Determination to impose a $100,000 civil monetary penalty. After Rio Hondo waived its right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination, OCR issued a Notice of Final Determination imposing the penalty. 

OCR’s announcement of the penalty includes a strong warning to other covered entities to comply with HIPAA’s access requirements. It quotes OCR Director Melanie Fontes Rainer. As stating:

Ensuring patients’ rights to timely access to medical information continues to be a HIPAA enforcement priority. Healthcare providers are legally obligated to provide patients with timely access to their medical records. If they fail to provide that access, OCR will not hesitate to do everything in its power, including imposing civil monetary penalties, to ensure compliance with the law.” 

While this penalty applied to a health care provider, health plans also are required to comply with the right of access rules.

With OCR promising to continue to prioritize enforcement, all covered entities should take documented steps to confirm the adequacy of their existing processes to ensure compliance with OCR’s Right of Access guidance and other applicable federal and state legal and ethical requirements like the Employee Retirement Income Security Act (“ERISA”) claims and appeals and Patient Protection and Affordable Care Act (“ACA”) adverse benefit procedures applicable to health plans and State ethical and statutory medical records delivery requirements applicable to providers. Health care providers also should consider including processes for tracking and monitoring access requests in these processes that provide for review every 30 days.Covered entities should keep records of these efforts for the six-year period required by HIPAA’s record retention rules.

Covered entities that receive follow up access requests or otherwise discover a potential failure to timely provide access should engage a HIPAA knowledgeable attorney for help and advice. Obviously, covered entities should correct any oversight promptly by delivering the records access. However legal counsel can assist by helping the covered entity assess if a violation actually occurred, avoid added violations or inflammatory communications or actions that could enhance exposures to complaints or penalties and suggest actions to help mitigate risks of an OCR investigation and penalties. For instance, past enforcement actions suggest a covered entity should consider foregoing requiring payment of charges HIPAA otherwise might allow for the records access to avoid further delay of access that could heighten penalty exposures. Covered entities also should document their delivery of access and their investigation and corrective actions addressing the source of the compliance failure.

The author of this update, Cynthia Marcotte Stamer has worked extensively with health plans on HIPAA, ERISA, the ACA on these and other HIPAA and other compliance and risk management. If you have questions or need advice or help evaluating or addressing your HIPAA compliance or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation.. 

Author of numerous highly regarded works on PBM and other health plan contracting and design,  Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with HIPAA and other legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  

As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Author of many highly regarded compliance, training and other resources on HIPAA and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership on HIPAA and many other health care, health plan and other health industry matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on $100,000 Penalty Warning To Fulfill HIPAA Access Requirements | ACA, Association Health Plan, Brokers, Claims, Claims Administration, Corporate Compliance, corporate governance, Electronic Medical Record, Employee Benefits, enforcement, ERISA, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health centers, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, HIPAA, Human Resources, Managed Care | Permalink
Posted by Cynthia Marcotte Stamer

$2.7 Million FCA Cyber Liability Settlement Shows New Tool In Government’s Strategy To Fight Cyber Insecurity By Holding Businesses & Leaders Accountable

May 4, 2024

The $2.7 million settlement government contractor Insight Global LLC, (“Insight”) is paying to settle a Justice Department (“DOJ”) False Claims Act civil suit for lax cybersecurity shows government contractors now must add possible False Claims Act prosecution to the already substantial and ever-widening potential consequences all organizations and leaders when their organizations experience a cyber incident.

Supplementing the strength and reach of existing cybersecurity laws by using the False Claims Act, federal securities, employee benefit fiduciary responsibility. and other laws as tools to pressure organizations and their leaders to strengthen their cybersecurity compliance and defenses is a key component of the National Cybersecurity Strategy the Administration announced in March, 2023 to battling the ongoing pandemic of cyber incidents. As National Cybersecurity Strategy states, “Continued disruptions of critical infrastructure and thefts of personal data make clear that market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience. … We must hold the stewards of our data accountable for the protection of personal data; drive the development of more secure connected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.

The National Cyber Security Strategy goes on to warn, “We will use Federal purchasing power and grant-making to incentivize security.”

With holding businesses and their leaders accountable a key component of the Federal government’s National Cybersecurity Strategy, government contractors specifically and all businesses and their leaders generally should heed the use of the DOJ’s use of the False Claims Act as another tool in its expanding arsenal for holding businesses experiencing cyber breaches accountable as proof of their own growing imperative to manage their own cyber security and liability in response to exploding strains of cyber threats and liabilities.

Government Contractor False Claims Act Cyber Risk

DOJ’s adoption of the False Claims Act as a tool for imposing liability against government contractors experiencing a cyber breach is part of a broader effort to persuade organizations and their leaders to tighten their cyber security defenses and responses by ratcheting up the liability and other consequences organizations and their leaders face when their organizations experience a cyber incident. The False Claims Act imposes treble damages and penalties on those who knowingly and falsely claim money from the United States or knowingly fail to pay money owed to the United States.

A Civil Cyber-Fraud Initiative announced by DOJ on October 6, 2021 adds potential False Claims Act civil lawsuits by DOJ or private whistleblowers to the already significant and expanding consequences government contractors and grant holders can face for failing to fulfill requirements to properly secure protected health information or other sensitive data as required in their government contracts.

According to DOJ’s May 1, 2024 announcement, Insight will pay $2.7 million to resolve DOJ False Claims Act charges for failing to have adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing under the new of the Settlement shows DOJ is following through on its promise.

$2.7 Million Insight FCA Cyber Settlement

The $2.7 million Settlement settles a whistleblower lawsuit, United States ex rel. Seilkop v. Insight Global LLC, No. 1:21-cv-1335 (M.D. Pa.). Filed under the whistleblower provisions of the False Claims Act that permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds and to receive a share of any recovery, DOJ intervened in the suit. Whistleblower, Terralyn Williams Seilkop, a former Insight Global staff member who worked on the contact tracing at issue, will receive a $499,500 share of the $2.7 million settlement amount.

The lawsuit alleged the Pennsylvania Department of Health hired Insight to provide staffing for COVID-19 contact tracing and paid Insight using federal funds from the U.S. Centers for Disease Control and Prevention. Although keeping personal health information of contact tracing subjects confidential and secure was part on its contractual duties, Insight failed to secure the protected health information. Instead, DOJ claimed, for example, Insight transmitted certain personal health information and/or personally identifiable information of contact tracing subjects in the body of unencrypted emails, stored and transmitted the information using Google files not password protected, making them potentially accessible to the public via internet links and allowed staff to use shared passwords to access that information.

DOJ additionally alleged that from November 2020 through January 2021, Insight managers received complaints from Insight staff that protected health information was unsecure and potentially accessible to the public, but failed to start remediating the issue until April 2021 after deficiencies came to light.

When Insight eventually began remediating these cybersecurity breaches and deficiencies in 2021, the announcement states Insight cooperated with the DOJ investigation of the cause and scope of the incident. It also took steps to remedy cybersecurity deficiencies by strengthening internal controls and procedures, adding more data-security resources and issuing a public notice regarding the scope of the potential exposure and offering free credit monitoring and identity protection services to those affected. FOJ also reports Insight also cooperated with the United States’ investigation.

DOJ’s Insight settlement announcement warns other government contractors of DOJ’s “continuing commitment to ensure that government contractors fulfill their cybersecurity obligations.” Its announcement quotes Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division as stating, “The Justice Department will hold accountable those contractors who knowingly fail to satisfy cybersecurity requirements.”

Meanwhile, Special Agent in Charge Maureen R. Dixon of the Department of Health and Human Services Office of Inspector General (HHS-OIG) is quoted as stating “Contractors for the government who do not follow procedures to safeguard individuals’ personal health information will be held accountable.”

Cyber Risk Implications For Government Contractor & Other Organizations

Potential False Claims Act liability under the DOJ False Claims Act Civil Cyber-Fraud Initiative add additional liability risks for government contractors to already substantial and growing federal and state regulatory, contractual, and civil and criminal liabilities and other consequences that cyber breaches and other cybersecurity weaknesses create for business and other organizations, their health plans and their leaders. Examples of these other exposures that lax privacy, data security, data breach and other cybersecurity practice may create include:

  • Business operating losses from resulting operational disruptions and damages to customer, business partner, shareholder and public trust;
  • Federal Sentencing Guidelines organizational criminal liability arising from violations of electronic crime and other federal criminal data privacy and security laws;
  • Federal Trade Commission Act and state unfair business practices liability for deceiving customers about privacy practices;
  • Security and Exchange Commission (“SEC”) criminal and civil actions and shareholder lawsuits under the Security and Exchange Act;
  • Health Insurance Portability & Accountability Act civil monetary penalty and criminal exposures for health plans, health care providers, health care clearinghouses and their business associates;
  • Employee Benefit Security Act fiduciary liability for health fiduciaries;
  • Liability for violation of Fair and Accurate Transaction Act, Internal Revenue Code, or other federal privacy or confidentiality laws;
  • damages and other penalties and judgments arising under state identity theft, data security, privacy and other state statutory, contractual and tort laws; and
  • More.

These and other constantly emerging exposures show the imperative for government contractors and all other organizations and their leaders to ensure their organizations take adequate, well-documented efforts to protect their systems and data and fulfill all otherwise applicable cybersecurity rules.

With new cyber attacks and strains of cyber liability, emerging constantly, organizations, and their leaders increasingly must change the way they think about and address their own cyber security and other technology, budgets and management. The escalation of cyber incidents and risks necessitates that organizations and their leaders to treat cybersecurity as critical components of their operational and business plans and priorities.

Amid the pandemic of constantly evolving cyber threats, even the most diligent efforts to secure systems and data cannot guarantee the prevention of a breach or other cyber incident. Given this challenge, organizations and their leaders must focus both on taking meaningful steps to adequately secure their systems and data against a cyber breach or incident as well as position their organizations and leaders to defend their actions and mitigate exposures through appropriate strategic planning, documented oversight and risk assessment, monitoring and response of threats and safeguards; preparation and timely response to cyber events using attorney-client privilege and other evidentiary tools to promote the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making.

As the availability of funding can radically impact the effectiveness of these and other risk mitigation efforts when a cyber incident occurs, these preparations also should incorporate insurance and other arrangements to provide for breach investigation funding and response.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters,  contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations,regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for government contractors and other public and private businesses; managed care and other health and life science, insurance, technology, and other performance and data dependent organizations,

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on $2.7 Million FCA Cyber Liability Settlement Shows New Tool In Government’s Strategy To Fight Cyber Insecurity By Holding Businesses & Leaders Accountable | Antitrust, Attorney-Client Privilege, Banking, board of directors, Brokers, Civil Monetary Penalties, Claims, compliance, Corporate Compliance, corporate governance, Cybercrime, Cybersecurity, Data Breach, Data Security, Department of Defense, DFAR, Disaster, Educational Privacy, Emergency, Employee Benefits, Employer, Employers, Employment, Employment Policies, enforcement, ERISA, false claims act, FTC, Government Accountability, Government Contractors, government employer, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, health plan, Health Plans, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Managed Care, OFCCP, Personal Health Records, Personal Health Recordss, Physician, Plan Admistrator, Protected Health Information, Provider, self insured health plan, Technology, third party administrators, tpa, Whistleblower | Tagged: , , , , , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Agencies Change Surprise Billing IDR Resubmission Procedures Effective 5/1/24

May 1, 2024

The Departments of Health and Human Services, Labor, and the Treasury (collectively, the Departments) today announced changes to the required process for resubmitting Independent Dispute Resolution (“IDR”) disputes originally improperly batched or bundled in the Federal IDR portal.

According to the Departments’ May 1 announcement, resubmission requests for disputes originally improperly batched or bundled will come directly from the Federal IDR portal instead of from the certified IDR entity, and initiating parties now will have a unique web form they can access via a link in their resubmission email notification to complete the resubmission process.

Starting on May 1, 2024, certified IDR entities will notify parties through an email from the Federal IDR portal that a dispute is eligible for resubmission due to improper batching or bundling from auto-reply-federalidrquestions@cms.hhs.gov. If the recipient initiated the dispute, the resubmission email notification will contain a unique link to a new form called the Notice of IDR Initiation – Resubmission web form and instructions on the next steps. If the recipient did not initiate the original dispute, the email notification will be informational and will not have a link.

Initiating parties have four business days from the date of the resubmission email notification to resubmit a dispute. The resubmission link will no longer work after the four business day window has passed.

If a certified IDR entity notified the party that a dispute submitted was eligible for resubmission due to improper batching or bundling before May 1, 2024, the Departments state the recipient should resubmit the dispute as instructed in the email from its certified IDR entity through the Notice of IDR Initiation web form by May 6, 2024. For information on how to resubmit these disputes, refer to the Notice of Initiation Web Form Job Aid.

The Departments state the Notice of IDR Initiation web form will accept resubmitted disputes through May 6, 2024. After May 6, 2024, the Notice of IDR Initiation web form will no longer accept resubmitted disputes, and all resubmissions must be submitted via the Notice of IDR Initiation – Resubmission web form, as described in the paragraph below.

The following resources provide additional information and instructions on how to complete and submit the new Notice of IDR Initiation – Resubmission web form, following

Health care providers and health plans using the new IDR processes should update their processes immediately to avoid forfeiting surprise billing rights. Recipients of e-mails purportedly from the portal are cautioned to include and follow appropriate procedures to guard against malware or other cyber threats.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health, employee benefits, insurance, hospitality, retail, construction and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair and Chair Elect of its International Employment Law Committee, Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer has decades of experience advising employers, investigating and helping employers to defend wage and hour, worker classification, discrimination and other labor and employment, employee benefits and other compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes extensive involvement advising clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination; EBSA, IRS, and PBGC employee benefit; WHD, CAS, Davis-Bacon and other federal and state wage and hour and other compensation; OSHA and other investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Agencies Change Surprise Billing IDR Resubmission Procedures Effective 5/1/24 | Claims Administration, Corporate Compliance, ERISA, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health care transparency, health insurance, health insurance marketplace, health plan, Health Plans, Human Resources, Managed Care, Protected Health Information, provider contracting, Surprise Billing | Permalink
Posted by Cynthia Marcotte Stamer

UHG Projects Timeline For Restarting Services Following 2/21 Ransomware Attack.

March 25, 2024

UnitedHealthcare Group (UHG) plans to resume certain key health benefit and payment function this week that it turned off in response to a February 21, 2024 cyberattack.

Health plans, their fiduciaries, health plan sponsors and insurers, and their administrative and other service providers may find these updates helpful to plan and communicate with plan members, providers and others as part of their efforts to fulfill their own Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the claims, notice and fiduciary responsibilities under the Employee Retirement Income Security Act of 1974 (ERISA), state contract, prompt pay and other duties to health care providers or other responsibilities in response to disruptions created by UHG’s Blackcat1234 ransomware attack subsidiary Change Healthcare.

UHG Attack

On February 21, 2024, a ransomware attack executed by the Blackcat1234 ransomware group took control of and shut down the payment, revenue cycle management and related tools and systems of UHG Subsidiary Change Healthcare. Well-known for stealing sensitive data and demanding ransom for not publishing it, and other public and private cybersecurity monitoring and tracking organizations have warned heath care and other system operators to guard against Blackcat1234 and related ransomware attack risks since at least 2022.  See, e.g., #StopRansomware: ALPHV Blackcat | CISA.

The Choice Health shutdown resulting from the Blackcat1234 ransomware attack has created widespread disruptions to key care authorization, billing and other pharmacy, provider and other plan and provider transactions within health care and health benefit systems nationwide due to the widespread use of the Choice Health tools. 

Due to the widespread use of the Change Healthcare tools and systems as a financial clearinghouse for connecting pharmacy benefit managers, health care providers, and other key plays and health plans throughout the health care and health benefits industry, the attack has and continues to disrupt key billing, care-authorization, payment and other transactions between health care payers and pharmacies, physicians and other health care providers and health care payers and their partners across the health care industry.  

The resulting shutdown and disruption to electronic payment and medical claims systems incorporating the compromised Change Healthcare tools create various legal and operational headaches for many health plans and other health care payers by preventing or obstructing the submission and processing of health care claims and other transactions between health care providers and health plans. 

While UHG works to remediate and restore the operability and security of the Choice Health tools and systems, health plans, and insurers, their fiduciaries, plan sponsors, and fiduciaries should take timely and prudent steps in response to the breach and resulting disruptions to mitigate the exposure of their health plans, and themselves under HIPAA and ERISA. See Manage Health Plan HIPAA, ERISA & Other Exposures From Change Healthcare Ransomware Attack.

Timeline

In its Product Restoration Timeline posted on a UHG website, UhG projects the following timeline for restoration of the following systems:

Week of 3/25
  • Eligibility Processing: Processes real-time transactions
  • Clearance: Benefits verification and authorization determination
  • MedRX: Pharmacy electronic claims for medical
  • Reimbursement Manager: Claim pricing
  • Coverage Insight: Coverage discovery
Week of 4/1
  • Clinical Exchange: Provider workflow enabling electronic prescribing, ordering and resulting integrated into EHR’s
  • Payer Connectivity Services  (PCS): EDI validation and editing
  • Hosted Payer Services  (HPS): Payer hosting service for eligibility responses to providers
  • Acuity / Pulse: Acuity provides revenue cycle analytics for users of Clearance and Assurance; Pulse provides RCM KPI benchmarks for institutional claims utilizing Assurance client data
Week of 4/8
  • Risk Manager: Supports clients in managing value-based payment contracts.
  • Health QX: Retrospective episode-base payment models

No Guarantees

The UHG website warns these dates are projections based on available information. Products will go through a phased reconnection process, including launch, testing and scaled reconnection. The timeline may change as UHG learns more.

Unlisted Services

The Timeline currently does not list all products and services. The UHG website states that the absence of a product from the schedule does not mean that product is more than three weeks away from resumption. Rather, it means that UHG does not yet have line of sight to the week that it expects to restore it. UHG plans to provide updated information as those timelines become clear.

For specific product updates, UHG invites interested persons to subscribe to the products of interest here.

Restoration Webinars

UHG also has shared the following series of webinary providing more information about its restoration efforts:

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters,  contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of employee benefit, managed care and other health and insurance industry, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on UHG Projects Timeline For Restarting Services Following 2/21 Ransomware Attack. | Academic Medicine, Association Health Plan, Brokers, Claims, Claims Administration, Corporate Compliance, Cybercrime, Cybersecurity, Data Breach, Data Security, employee, Employee Benefits, Employer, Employers, ERISA, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health care transparency, health insurance, Health IT, health plan, Health Plans, HIPAA, HR, Human Resources, Identity Theft, Insurance, Internal Controls, Internal Investigations, Internal Revenue Code, Managed Care, Medical Billing, Physician, Plan Admistrator, PPO, Provider, provider contracting, Reporting & Disclosure | Permalink
Posted by Cynthia Marcotte Stamer

Manage Health Plan HIPAA, ERISA & Other Exposures From Change Healthcare Ransomware Attack

March 17, 2024

What Health Plans, Their Fiduciaries, Vendors & Sponsors Should Be Doing Now

Health plans, their fiduciaries, health plan sponsors and insurers, and their administrative and other service providers should move quickly to understand and act to mitigate the exposures likely to arise under the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the claims, notice and fiduciary responsibilities under the Employee Retirement Income Security Act of 1974 (ERISA), state contract, prompt pay and other duties to health care providers or other responsibilities in response to disruptions created by the Blackcat1234 ransomware attack (CH/UHG Attack) experienced by UnitedHealthcare Group (UHG) subsidiary Change Healthcare.

Change Healthcare Ransomware Attack

On February 21, 2024, a ransomware attack executed by the Blackcat1234 ransomware group took control of and shut down the payment, revenue cycle management and related tools and systems of UHG Subsidiary Change Healthcare. Well-known for stealing sensitive data and demanding ransom for not publishing it, and other public and private cybersecurity monitoring and tracking organizations have warned heath care and other system operators to guard against Blackcat1234 and related ransomware attack risks since at least 2022.  See, e.g., #StopRansomware: ALPHV Blackcat | CISA.

The Change Health shutdown resulting from the Blackcat1234 ransomware attack has created widespread disruptions to key care authorization, billing and other pharmacy, provider and other plan and provider transactions within health care and health benefit systems nationwide due to the widespread use of the Change Health tools. 

Due to the widespread use of the Change Healthcare tools and systems as a financial clearinghouse for connecting pharmacy benefit managers, health care providers, and other key plays and health plans throughout the health care and health benefits industry, the attack has and continues to disrupt key billing, care-authorization, payment and other transactions between health plans, health care payers and pharmacies, physicians and other health care providers and health care payers and their partners across the health care industry.  

As UHG has worked to recover from the Change Health attack, the resulting shutdown and disruption to electronic payment and medical claims systems incorporating the compromised Change Healthcare tools create various legal and operational headaches for many health plans and other health care payers by preventing or obstructing the submission and processing of health care claims and other transactions between health care providers and health plans.  While UHG works to remediate and restore the operability and security of the Choice Health tools and systems, health plans, and insurers, their fiduciaries, plan sponsors, and fiduciaries should take timely and prudent steps in response to the breach and resulting disruptions to mitigate the exposure of their health plans, and themselves under HIPAA and ERISA.

HIPAA Security & Breach Notification Responsibilities

While most health care providers and health plans expect Change Health and other UHG entities to face potential data breach and breach notification responsibilities and liabilities under HIPAA and other federal and state data privacy and cybersecurity laws, many health plan fiduciaries, sponsors, insurers, and administrative or other service providers have given limited consideration to how the February 21, 2024, cyber event impacted their HIPAA responsibilities and exposures.  Guidance published by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) on March 13, 2023, alerts health plans and health insurers, their fiduciaries and plan sponsors, health care providers, health care clearinghouses, and their business associates (covered entities) against overlooking their own potential HIPAA responsibilities arising from the February 21 Choice Health attack or other similar events.

HIPAA requires covered entities and their business associates to protect the privacy and security of protected health information, to have and enforce HIPAA-compliant business associate agreements, to conduct timely documented risk assessments in response to known or foreseeable security threats, and to provide notice of a breach to OCR, affected individuals and for breaches affecting more than 500 individuals. 

Under the HIPAA Security Rule, covered entities must conduct documented risk assessments to evaluate and monitor their electronic personal health information (EPHI) and associated systems for potential breaches and other threats that expose EPHA to unauthorized use, access, disclosure, destruction or other compromise.

To fulfill this requirement, the Security Rule requires covered entities and business associates to conduct documented risk assessments impacting their EPHI and to update these risk assessments in response to internal or external events impacting the adequacy of their risk assessments or security safeguards.

While the responsibility of covered entities and business associates to protect EPHI against unauthorized use, access and disclosure from cybercriminals and others receives the most attention, the Security Rule also includes often less discussed responsibility to protect EPHI and related operating systems against destruction or other disruptions from a wide range of threats including ransomware attacks. 

OCR guidance makes clear that OCR views safeguarding EPHI against ransomware and other cybersecurity threats as encompassed in this duty.  As part of these efforts, OCR and other cybersecurity agencies have recommended among other things that covered entities and business associates:

  • Routinely take inventory of assets and data to identify authorized and unauthorized devices and software;
  • Prioritize remediation of known exploited vulnerabilities’
  • Enable and enforce multifactor authentication with strong passwords;
  • Close unused ports and remove applications not deemed necessary for day-to-day operations.

 See e.g., #StopRansomware: ALPHV Blackcat | CISA.

Furthermore, when a breach of results in an unauthorized use, access, disclosure or destruction of EPHI, the HIPAA Breach Notification Rule requires covered entities and their business associates to provide timely notification of the breach to subjects of the breached EPHI and OCR, and if the breach affects more than 500 subjects, to the media.  Concurrently, the HIPAA Security Rule requires health plans and other covered entities to evaluate through documented risk assessments and take appropriate timely action to update their EPHI security as necessary to respond to breaches, potential breaches and other evolving threats to their EPHI and related systems. 

On March 13, 2024, the Office of Civil Rights (OCR) released a  “Dear Colleague letter” that warns the February 21, 2024 CH/UHG data breach is likely to trigger HIPAA obligations and investigations for Choice Health and UHG as well as other HIPAA-covered health plans, heath care providers, heath care clearinghouses and business associates.  While stating the investigation currently focuses on Change Healthcare and UHC, for instance, the Dear Colleague Letter warns that OCR anticipates that its response to the February 21, 2024 CH/UHG Attack eventually also will include “secondary” investigations of other health plans, health care providers, health care clearinghouses and business associates “tied to or impacted by this attack.”

In light of these anticipated secondary investigations, OCR’s Dear Colleague letter warns health plans, health care providers, health care clearinghouses, business associates to ensure they timely and properly handle their own potential HIPAA responsibilities arising from the CH/UHG Attack.  The Dear Colleague letter expressly alerts health plans, health care providers and other covered entities and business associates “that have partnered with Change Healthcare and UHG” in anticipation of OCR’s expected secondary investigations to ensure that their own ability to demonstrate their organization meet all required HIPAA responsibilities including that:

  • All required “business associate agreements are in place;
  • All required breach notifications are provided to HHS, affected persons and in the event of a large breach affecting more than 500 individuals, to the media; and
  • All security and other HIPAA responsibilities are met.

The Dear Colleague Letter also directed covered entities and their business associates to the following previously released OCR resources for assistance in understanding their responsibilities for guarding EPHI against ransomware and other cybersecurity threats:

  • The OCR HIPAA Security Rule Guidance Material webpage;
  • OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks;
  • OCR Webinar on HIPAA Security Rule Risk Analysis Requirement;
  • HHS Security Risk Assessment Tool;
  • Factsheet: Ransomware and HIPAA; and
  • Healthcare and Public Health (HPH) Cybersecurity Performance Goals.

Standing alone, the Dear Colleague Letter makes clear that all covered entities partnered with or impacted by disruptions from the CH/UHG attack need to take documented steps to reevaluate and tighten the adequacy of their existing security safeguards as well as their processes for monitoring and responding to evolving ransomware and other cybersecurity threats in anticipation of becoming the target of potential “secondary” OCR investigations arising from the CH/UHG Attack.

While the Dear Colleague Letter specifically references covered entities and business associates “partnered” with Choice Health, OCR’s previously issued guidance warning all covered entities and their business associates to safeguard their EPHI against ransomware and other cybersecurity threats, strongly suggest that all covered entities and business associates should consider the advisability of reevaluating the adequacy of their own EPHI safeguards in light of the heightened ransomware and other cyber threat illustrated by the CH/UHG Attack.  Consequently, all covered entities and business associates partnered with or impacted by the CH/UHG Attack or its resulting distributions specifically, as well as covered entities and business associates generally should work with experienced legal counsel to conduct documented risk assessments of their systems, exposures, responsibilities and risks taking into account these developments as soon as possible in anticipation of complaint or audit driven investigations arising from the Choice Health and other malware events and threats.

ERISA-Covered Health Plan Data Security & Breach Related Fiduciary Duties

In addition to any applicable HIPAA responsibilities, fiduciaries and sponsors of employer or union sponsored health plans subject to the Employee Retirement Income Security Act (ERISA) also should consider whether the CH/UHG Attack or the heightened ransomware and other cyber security threats any additional actions are prudently necessary to protect the health plan data, assets or operations.

ERISA generally requires individuals or entities named as fiduciaries or otherwise possessing functional discretionary authority or responsibility or authority over a plan or its assets (fiduciaries) to act prudently to protect and administer the plan and its assets.  Department of Labor Employee Benefit Security Administration (EBSA) guidance published in April, 2021 first officially confirmed its interpretation of ERISA’s duty of prudence as including a duty to utilize prudent cybersecurity safeguards.  Since EBSA published this cybersecurity guidance EBSA also has also added cybersecurity inquiries to its plan fiduciary audits. As a result, in addition to complying with HIPAA, ERISA-covered health plan fiduciaries and sponsors also should be prepared to demonstrate plan fiduciaries acted prudently to comply with HIPAA as well as the following actions to safeguard health and other employee benefit plan data and systems against cybersecurity threats:

  • Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
  • Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
  • Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

In light of this OCR and EBSA guidance, health plan sponsors, fiduciaries and vendors and other HIPAA covered entities and business associates are urged to take documented steps to audit and strengthen as needed their safeguards against hacking and other cybersecurity threats including:

  • In the case of any health plan or health plan vendor, taking well documented steps to assess and tighten as necessary their health plan systems and data security to meet or exceed the recommendation outlined in the EBSA cybersecurity guidance or otherwise necessary to prudently guard their plans and plan data and systems against cybersecurity threats.
  • Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
  • Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
  • Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
  • Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
  • Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
    violations or other indicia of potential security concerns.
  • Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
  • Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
  • Establishing and providing well-documented timely investigation and redress of reported
    violations or other compliance concerns.
  • Establishing contingency plans for responding in the event of a breach. 
  • Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
  • Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
  • Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Furthermore, while the preemption provisions of ERISA generally insulate health plans and their sponsors from responsibility or liability for complying with state insurance, data security, breach notification or other state law cybersecurity and cyber breach and breach notification laws and rules, health insurers and other health plan service providers generally remain subject to these state law requirements.  Consequently, health insurers, administrative service providers and other health plan vendors also should act promptly to evaluate and ensure their fulfillment of all applicable cybersecurity and data breach mandates under relevant state law.

Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders under state data privacy and breach, negligence or other statutory or common laws.  In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.  Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations and the Employee Benefit Security Administration recently has issued guidance recognizing prudent data security practices as part of the fiduciary obligations of health plans and their fiduciaries.

Finally, health plans and other covered entities are reminded that appropriate strategic planning and use of attorney-client privilege and other evidentiary tools can critically impact the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making. Because HIPAA, EBSA and other rules typically require prompt investigation and response to known or suspected hacking or other cybersecurity threats, health plans and other covered entities or business associates should seek the assistance of experienced legal counsel to advise and assist in these activities to understand the potential availability and proper use of these and other evidentiary rules as part of the compliance planning process as well as to prepare for appropriate use in the event of a known or suspected incident to avoid unintentional compromise of these protections.

ERISA & Other Risks From Untimely Timely Acceptance & Processing of Health Plan Eligibility & Benefit Provisions

Since Change Health shut down its tools and systems CH/UHG Attack has created and continues to cause nationwide disruptions in the ability of pharmacy, physician and other health care providers to submit, and health plans and insurers to receive and process a wide range of health care billing, claims and other transactions because of the widespread integration and use of Choice Health tools in systems health care providers and payers use for the submission, receipt, and processing of health care provider eligibility, billing and other health benefits. 

Along with the liabilities and headaches that the ransomware attack and resulting disruptions create for Choice Healthcare and UHG, delays and other disruptions in the handling of health benefit eligibility, claims processing, notifications and payment by health plans and their administrative services providers arising from can create a host of additional liability headaches health plans, health insurers, their fiduciaries and administrative services providers in addition to those arising directly from the HIPAA and other cybersecurity breach itself.

For ERISA-covered health plans, ERISA generally holds health plans and their fiduciaries accountable for the prudent, timely administration of health plan eligibility, claims and other administrative functions in accordance with the terms of the plan and within the applicable time frames and other requirements of ERISA’s reasonable claims procedure and adverse benefit determination rules.  Health plans and their ERISA plan administrators generally must receive and process claims transactions required by the adverse claim determination regulations and provide participants or beneficiaries with detailed written notifications for any claims not processed and paid within the relevant 72-hour, 15-day or 30-day time period specified by the adverse claim determination rules.  Noncompliance with these requirements both undermines the defensibility of the health plan’s denial of coverage and subjects the plan administrator to liability for EBSA penalties and/or discretionary awards of penalties plus attorneys’ fees and other costs of enforcement to plan participants or beneficiaries for failures to deliver timely notification of the denial.  To the extent that EBSA or a court determines that the failure to timely and appropriately process and pay benefits resulted from a lack of prudence or other breach of ERISA fiduciary duties, fiduciaries are at risk for incurring personal liability for actual damages to the plan or its participants plus attorneys’ fees and other costs of enforcement; EBSA penalties for engaging in a breach of fiduciary duty under ERISA section 502(l); or both.

Beyond these ERISA-related risks, delays in processing and payment of health care provider claims also create potential additional liability for health insurers, health plans and their administrators to the extent the disruptions prevent the timely payment and processing of health benefit claims in violation of health care provider rights under managed care or other provider contracts, prompt pay and surprise billing or other provider legal rights.  Unlike member claims assigned to providers, ERISA generally does not preempt these nonderivative provider rights and claims or the additional state law damages, penalties or other remedies arising under state law against health insurers, health plans and plan administrators found to violate these rules. Consequently, delays in payments to providers also could substantially increase the costs and liabilities that health insurers, health plans, their fiduciaries, administrators, and employers and other sponsors obligated under the plan terms or vendor contracts to pay these costs.

In light of these and other potential risks, health insurers and health plans, their employer, union and other sponsors, fiduciaries, administrative services providers and other vendors should act quickly to investigate and ensure proper management of the fallout from the CH/UHG Attack and the heightened ransomware and other cybersecurity threats it represents.

Along with working with qualified legal counsel to address the potential HIPAA, ERISA and other responsibilities the health plan or insurer, its fiduciaries, service providers and sponsor bear from the CH/UHG Attack and other cyber risks, most parties also will want to evaluate obligations to notify cybersecurity and other liability insurers, seek indemnification from Choice Healthcare, UHG or other potentially culpable parties and evaluate other sensitive data and strategies for mitigation of their health plan and their own resulting liabilities, costs and other consequences.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters,  contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Manage Health Plan HIPAA, ERISA & Other Exposures From Change Healthcare Ransomware Attack | Association Health Plan, Corporate Compliance, group health plan, health Care, Health Care Sharing Ministries, health insurance, health plan, Health Plans, HIPAA, Public Policy, self insured health plan, tpa | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

ABA RPTE Section Group Hosts 1/19 Health Plan Claim Denials Update Zoom Call

January 16, 2024

Attorney Cynthia Marcotte Stamer and Allison Moody are scheduled to present a “Health Plan Claim Denials Update” for the American Bar Association Real Property Probate and Trust Section Employee Benefits and Executive Compensation Group on Friday, January 19, 2024 from 11:30 AM – 12:30 PM Central Time. Group members and other interested persons are invited to join this complimentary Zoom call.

About The Health Plan Claim Denials Update[1]

Employee Retirement Income Security Act (“ERISA”)-covered group health and disability plan participants and beneficiaries increasingly successfully overcome health plan benefit denials and receive ERISA § 502(c) awards based on federal court’s rulings plan fiduciaries or administrators failed to fulfill the Employee Benefit Security Administration (“EBSA”) adverse benefit determination regulations.  

During the “Health Plan Claims Denials Update, attorneys Cynthia Marcotte Stamer and Allison Moody will share an update on the precedent driving this emerging trend, how the new No Surprises Act rules interface with ERISA adverse benefit determination regulations, and discuss implications and best practices for health plan fiduciaries, administrators, and their advisors should consider to strengthen the defensibility of their plans’ adverse benefit determinations and mitigate risks in light of this trend to the American Bar Association Real Property Probate and Trust Section Employee Benefits and Executive Compensation Group monthly membership Zoom call on Friday, January 19, 2024. 

Participation in this and other RPTE Section Employee Benefit and Other Compensation Group calls is complimentary.  Members and other interested persons can join the call using the following Zoom credentials:

Zoom Meeting Link https://americanbar.zoom.us/j/91796395033?pwd=R1hEZlZCQjR4RitvODRlYVFCTmIwZz09

Meeting ID: 917 9639 5033

Passcode: 071394

One tap mobile: +13126266799,,91796395033# US (Chicago)

About the Presenters

Allison Moody.  Allison Moody is a highly experienced legal consultant, licensed to practice law, specializing in advising on complex health and welfare benefit laws.  With a deep understanding of the legal and regulatory landscape, Allison provides expert guidance to employers, brokers, and members in various states, ensuring their compliance with ever-evolving requirements.  Allison has built a reputation for helping organizations navigate the intricacies of employee benefits laws and delivering practical and effective solutions.  She also negotiates contracts, provides legal review of proposed legislation, regulations, and bulletins, and assists with audits and investigations.

Allison previously served as Vice President and General Counsel of a third-party administrator.  In her position there, she advised organizations on legal and business issues and finding ways to minimize risk. She also represented the company in various administrative and legal proceedings and hired and managed Outside Counsel in matters involving litigation or arbitration.

Allison has served in leadership roles in many benefits organizations over her career, including the Society of Professional Benefit Administrators (SPBA), Texas Professional Benefit Administrators (TPBA), RPTE Employee Benefits and Executive Compensation Committee, and the National Association of Health Insurance Professionals (NAHIP).  She is also a member of the ABA Tort and Insurance Practice Section, where she serves on the Medicine and Law and Life, Health and Disability, and Cybersecurity Committees.  In her spare time, she volunteers for Brother Bills Helping Hand and enjoys her French bulldogs.

Allison received her Juris Doctorate degree from Tulane Law School and graduated Magna Cum Laude in Communications/Political Science from Texas Tech. 

Cynthia Marcotte Stamer.  Cynthia Marcotte Stamer is a Fellow in the American College of Employee Benefits Counsel and Board Certified in Labor and Employment law by the Texas Board of Legal Specialization, recognized for her decades of prolific legal and operational work, legislative and regulatory advocacy, scholarship, and thought leadership on insured and self-insured managed care and other health care, disability and other employee benefit, insurance, health care and workforce programs, practices, and policies as a “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; “Best Lawyer” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “HealthCare” and “Business and Commercial Law.”

For 35-plus years, “Cindy” has guided and represented self-insured and insured health and managed care, disability, and other employee benefit plans; employers; plan sponsors; fiduciaries’ administrative services, technology, and other vendors; insurers; brokers and consultants; health care providers;; governments; and others on the design, administration, and defense of claims and appeals and other plan provisions, practices, systems and technologies; the prevention, evaluation, mitigation, and defense of fiduciary, participant and beneficiary, health care provider, government and other claims, disputes, and other enforcement actions arising out of the operation of these programs; contracting, technology and product development; fiduciary responsibility, market conduct and other operating standards; health care fraud; privacy and data security; innovation and change management;  government relations and investigations; and a diverse range of other employee benefits, insurance, employment, compensation, and health care operations, risk management, and compliance concerns.

Cindy also contributes her knowledge and leadership as the American Bar Association (“ABA”) RPTE Employee Benefits and Executive Compensation Group Chair and current Welfare Committee Co-Chair; current ABA Joint Committee on Employee Benefits (“JCEB”) HHS Agency Meeting Scribe and former JCEB Council Representative and Marketing Committee Chair; current ABA TIPS Section Medicine and Law Committee Chair, Employment Committee Diversity Vice Chair, and former Employee Benefits Committee Vice Chair; current ABA International Section International Life Sciences and Health Committee Chair and International Employment Committee Vice Chair; former ABA Health Law Section Managed Care & Insurance Group Chair; former SHRM National Consultant’s Board and Regional Chair; former board member, Programs Committee Chair and Treasurer of the Southwest Benefits Association; founding Board Member and Past President of the Alliance for Health Care Excellence and founder of its Health Care Heroes and Patient Empowerment Programs; past National Board Member and Dallas Chapter President of Web Network of Benefit Professionals; former Texas Association of Business BACPAC Chair, Board Member, Regional Chair, Dallas Chapter Chair and Health Care Task Force Leader; and in many other professional and civic leadership roles.

A continuous learner, prolific author, and popular public speaker, Cindy also has authored hundreds of highly regarded publications on employee benefits and other workforce, health care, managed care, privacy and data security, technology, and other related compliance, risk management, and public policy concerns.  Her thought leadership on these and other concerns often is quoted in the professional and public media and sought out by legislative, regulatory, and industry leaders.

About The Employee Plans and Executive Compensation Group

The January 19, 2024 Zoom call is part of a monthly series of membership calls hosted over Zoom by the Employee Benefits and Executive Compensation Group as a free member benefit.  The Employee Plans & Executive Compensation Group is comprised of 249 attorneys with an interest in or focus on employee benefits, ERISA and executive compensation issues. The Group includes six substantive committees: Fiduciary Responsibility, Administration, and Litigation; Welfare Benefit Plans; Plan Transactions and Terminations; Qualified Plans; Non-Qualified Deferred Compensation; and IRAs and Plan Distributions.  Membership in the Group and the American Bar Association is open to attorney and other interested individuals

[1] The purpose of this discussion is to enable individuals to share and exchange their personal views on topics and issues of importance to the legal profession. All comments that appear are solely those of the individual, and do not reflect ABA positions or policy. The ABA endorses no comments made herein.

Comments Off on ABA RPTE Section Group Hosts 1/19 Health Plan Claim Denials Update Zoom Call | Association Health Plan, Claims, Claims Administration, Corporate Compliance, EBSA, employee, Employee Benefits, Employer, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, Insurance, insurers, Internal Revenue Code, Managed Care, Medical Billing, MEWA, Patient Empowerment, Patient Protection & Affordable Care Act, Reporting & Disclosure, self insured health plan, Surprise Billing, third party administrators | Permalink
Posted by Cynthia Marcotte Stamer

$160K HIPAA Penalty Warns Health Plans & Other Covered Entities Deliver Timely Protected Health Information Access

January 8, 2024

Health plans, health care providers and health care clearinghouses (“Covered Entities”) treat the Department of Health and Human Service Office of Civil Right (“OCR”) announcement of its 46th enforcement action under the Health Insurance Portability & Accountability Act (“HIPAA”) Right of Access Rule as a warning to confirm their own organization’s timely delivery of records and other compliance with the Rule.  Coupled with OCR’s Right of Access Rule settlement agreement with United Health Insurance Group last August, the latest settlement agreement sends a strong message to health plans and other Covered Entities about the risks of failing to deliver protected health information as required by the Right of Access Rule. 

HIPAA Right of Access Rule

The HIPAA Right of Access Rule guarantees individuals the right to access a broad array of health information about themselves maintained by or for health plans and other Covered Entities. Under the Right of Access Rule, Covered Entities generally must provide individuals or their personal representatives copies or other acceptable access to the individual’s protected health information in a Covered Entity’s “designated record set” for a reasonable cost as soon as possible and within 30 days of receiving a request for a reasonable cost. However, the Right of Access Rule does not grant any right for an individual to access protected health information that is not part of a designated record set because the information is not used to make decisions about individuals.

The request for protected health information triggering the duty for a Covered Entity to provide access to the protected health information may come from the individual who is the subject of the protected health information or from the “personal representative” of that individual.  When considering a request for protected health information from an individual other than the subject of the protected health information, health plans and other Covered Entities also must use care to verify that the requesting party, in fact, qualifies as the individual’s “personal representative” as defined for purposes of HIPAA. 

Once a health plan or other Covered Entity receives a request protected health information from the individual or his personal representative, the Right of Access Rule requires the Covered Entity to provide access to all requested protected health information within any “designated record set” within 30 days unless the requested information falls within one of two exceptions to the Rule. 

For this purpose, a “designated record set” generally is defined at 45 CFR 164.501 as any item, collection, or grouping of information that includes protected health information that is maintained, collected, used, or disseminated by or for a Covered Entity that comprises the:

  • Medical records and billing records about individuals maintained by or for a covered health care provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

However, the Right of Access Rule only requires the delivery of protected health information that is part of a designated record set.  It does not require health plans or other Covered Entities to provide protected health information that the Covered Entity does not use to make decisions about the individual, since this information is not considered part of a designated record set.  Examples of such records of protected health information might include protected health information in certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records the Covered Entity uses for business decisions more generally rather than to make decisions about the subject individual. Before refusing to provide information not part of a designated record set, however, the health plan or other Covered Entity does not also use or possess that information for making decisions about the subject individual or that disclosure is not otherwise required under another law. For example, even if the Right of Access Rule does not require disclosure of protected health information because it is not considered part of a designated record set, a health plan still be required to disclose the record if required by the adverse benefit determination rules of the Patient Protection and Affordable Care Act (“ACA”), claims and appeals rules of the Employee Retirement Income Security Act or other applicable law, regulation or another law.    

Even where the information falls within the definition of a designated record set, however, HIPAA expressly excludes two categories of information from the Right of Access right:

  • Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session maintained separately from the rest of the patient’s medical record as described in 45 CFR 164.524(a)(1)(i) and 164.501.
  • Information complied in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding described under 45 CFR 164.524(a)(1)(ii).

However, it is critical that Covered Entities not overestimate the reach of either of these two exceptions. The exception only applies to the narrow range of records meeting the requirements of the exception.  The underlying protected health information from the individual’s medical or payment records or other records used to generate the above types of excluded records or information remains part of the designated record set and is subject to access by the individual under the Right of Access Rule.  Providers and other Covered Entities should use care to comply with the Right of Access Rule without providing more information than allowed as HIPAA liability can arise from failing to timely deliver access to all protected health information required by the Right of Access Rule or from sharing protected health information with an individual who is not either the individual or personal representative when the disclosure otherwise is not allowed by HIPAA To help negotiate these requirements, Covered Entities should become familiar with and process all requests for protected health information following the latest Right of Access Rule guidance. When in doubt, Covered Entities should seek the advice of experienced legal counsel within the scope of attorney-client privilege about proper fulfillment of their obligations under the Right of Access Rule in coordination with any other applicable responsibilities the Covered Entities has to provide access, disclose, or prevent disclosure of the requested information under otherwise applicable federal or states laws and regulations, ethical or other professional standards, contractual or other medical, insurance, financial, employee benefit or other rules relating to the requested records.

Optum Settlement 46th Right Of Access Enforcement Settlement

The Optum settlement resulted from OCR’s investigation of six complaints in the Fall of 2021 that Optum violated the Right of Access Rule by failing to provide timely access to medical records when requested by an adult patient or by the parents of minor patients.

In February 2022, OCR initiated investigations of these Right of Access complaints. The investigation revealed that patients received their requested records between 84 and 231 days after submitting their respective requests. Since the Right of Access Rule requires that Covered Entities deliver the records no later than 30 days from receiving the individual’s requests, those timeframes fell well outside of the deadline for delivery required by the HIPAA Right of Access Rule.  Accordingly, OCR concluded that Optum’s failure to provide timely access to the requested medical records was a potential violation of HIPAA.

Under the Resolution Agreement reached with Optum, Optum agreed to pay $160,000 to OCR as well as implement a corrective action plan that requires workforce training, reporting records requests to OCR, and reviewing and revising as necessary its right of access policies and procedures to provide timely responses to requests. Under the plan, OCR will monitor Optum Medical Care for one year.

Right Of Access Remains OCR Investigation & Enforcement Priority

The Optum enforcement action and settlement is the latest reminder to all Covered Entities that investigation and enforcement remains a top OCR priority. See e.g. OCR Sanction Of 44th Health Care Provider For Violating HIPAA Right of Access Rules Warning To Other Covered Entities. Because access to medical records empowers patients and their families to make decisions about their health care and improve their health overall, OCR views access to medical records “a fundamental right under HIPAA. For this reason, OCR believes it “critical that providers follow the law.”  Accordingly, OCR Director Melanie Fontes Rainer has warned that health care providers “must proactively respond to record requests and ensure timely access” and “make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority.” See e.g., HHS’ Office for Civil Rights Settles Multiple HIPAA Complaints with Optum Medical Care Over Patient Access to Records (January 4, 2024).

While health care providers are the most common target of OCR’s Right Of Access complaints and enforcement, OCR’s August, 2023 Right of Access settlement against United Health Insurance Group (“UHIG”) confirms health plans also are targets. That settlement arose from OCR’s investigation of a March 2021 complaint alleging that UHIC did not respond to an individual’s request for a copy of their medical record. The investigation showed the individual first requested a copy of their records on January 7, 2021, but did not receive the records until July 2021, after OCR initiated its investigation.  Movrover, the March, 2021 complaint was the third complaint OCR received from the complainant against UHIC alleging failures to respond to his right of access. These findings led OCR to conclude UHIC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.  In OCR’s announcement of UHIG’s agreement to pay $80,000 to resolve these potential charges, OCR Director, Melanie Fontes Rainer warned, “Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.”  See, UnitedHealthcare Pays $80,000 Settlement to HHS to Resolve HIPAA Matter over Patient Medical Records Request.

Manage Right of Access Rule Exposure

Despite OCR’s warnings about the responsibility to comply with the Right of Access Rule, many health plans and other Covered Entities continue to violate the Rule. OCR has and continues to receive thousands of Right of Access Rule complaints each year.  In response to these persistent compliance issues, OCR continues to make enforcement of the Right of Access Rule a key enforcement priority through its Right Of Access Initiative.

In light of OCR’s commitment to continue to investigate and enforce compliance with the Right of Access Rule, health care providers and other Covered Entities and their business associates are urged to review their existing practices for receiving and processing patient record requests to confirm their own organizations’ compliance with the Right of Access Rule and other applicable federal and state statutory regulatory and contractual requirements. To reduce risks of violations, all health care providers and other Covered Entities should seek assistance from experienced legal counsel within the scope of attorney-client privilege to audit their past and current Right of Access Rule compliance for any necessary or advisable steps to prevent future violations and mitigate potential liabilities arising from potential past or future violations of the Right of Access Rule.  Aside from confirming documented timely responses to past requests for protected health information, among other things, most Covered Entities will want to consider:

  • Verifying that their current policies, privacy practices notices, training and other materials are updated to comply with all applicable policies and properly identify and provide current contact information for the Privacy Officer or other party responsible for receiving and responding to protected health information requests;
  • Appropriate procedures are in place to ensure that the Covered Entity can produce required documentation showing the individuals are appropriately notified of the Right of Access and other HIPAA rules, and that the Covered Entity captures the necessary documentation to show its receipt of all requests, and timely investigation and response to such requests;
  • Appropriate and documented processes for collecting, investigating, or resolving any potential concerns, complaints, or other issues, their evaluation, and resolution;
  • Appropriate workforce, business associates, and other policies, training, oversight, and enforcement to require and enforce compliance with applicable laws and policies; and
  • Appropriate processes, procedures, and training to ensure that staff fully understands and complies with both the specific processes and procedures of the Covered Entity for complying with the Right of Access Rule, as well as related procedures necessary to manage risks and responsibilities arising under verification of identity, personal representative, disclosure, recordkeeping or other HIPAA’ rules; medical, insurance, financial, or other data or privacy; licensure and market conduct; civil rights and nondiscrimination; fiduciary; licensure; marketing or other rules.

When confirming compliance with the Right of Access Rule, health plans and other Covered Entities also should reevaluate their organization’s exposure to other HIPAA associated risks. See, e.g., Health Plans Warned To Prevent Phishing By 1st Phishing-Related HIPAA Settlement; New HIPAA Resolution Agreement Warns Health Plans & Other HIPAA-Covered Entities To Manage Media Relations, Access & Disclosure; $80,000 Penalty Confirms Health Plans Exposure For Violating HIPAA Access Rights; $350K Settlement Highlights Need For Plans & Plan Service Providers To Ensure Security, Business Associate & Other HIPAA Requirements Met. Health plans take documented, prudent steps to reconfirm the adequacy of their own, and their business associates’ policies, processes, training, documentation and other compliance with these and other medical and other plan records and data maintenance, security, use, access and disclosure.

Aside from the direct exposures for these and other HIPAA violations arising under HIPAA, health plans, their fiduciaries, insurers, plan sponsors and administrators should keep in mind that the Employee Benefit Security Administration views potential data breaches and other HIPAA violations as a potential source of fiduciary liability under the Employee Retirement Income Security Act. 

While involving outside consultants or other service providers generally is valuable if not required to conduct some of these tasks, Covered Entities are encouraged to use experienced outside legal counsel to help plan, conduct, evaluate and decide, and implement responses to findings from these compliance and risk management activities both to benefit from legal counsel’s substantive legal expertise and experience and to take advantage of the opportunity to conduct sensitive discussions within the protection of attorney-client privilege or other evidentiary rules.  Experienced outside legal counsel can guide Covered Entities about the best way to work with consulting and other vendors to maximize these benefits. Where legal advice is provided to health plan fiduciaries, health plans, their fiduciaries, insurers, sponsors, and service providers also should keep in mind that advice and work product performed on behalf of a health plan or plan fiduciary may not enjoy the same protection against discovery under attorney-client privilege and work product rules.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on $160K HIPAA Penalty Warns Health Plans & Other Covered Entities Deliver Timely Protected Health Information Access | Association Health Plan, Civil Monetary Penalties, Claims Administration, Corporate Compliance, Cybercrime, Data Breach, Data Security, Electronic Medical Record, employee, Employee Benefits, ERISA, Fiduciary Responsibility, group health plan, health plan, Health Plans, HIPAA, Protected Health Information, Reporting & Disclosure, self insured health plan | Tagged: , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Children’s Hospital Pays $45K To Resolve COVID Vaccine Religious Discrimination Suit

December 22, 2023
Pandemic’s End Doesn’t End COVID-19 Employer Headaches

Children’s Healthcare of Atlanta, Inc. (“CHOA”) is paying $45,000 to settle a religious discrimination lawsuit arising from its failure to grant a religious exemption from its COVID-19 vaccination requirements for a maintenance worker. The lawsuit highlights the continuing importance of all employers to use care when handling request for religious accommodation to vaccine or other workplace requirements.

The lawsuit filed by the U.S. Equal Employment Opportunity Commission (“EEOC”) arises from the 2019 denial of a request for a religious exemption to CHOA’s COVID-19 vaccine mandate made by a maintenance worker. CHOA previously had granted the same employee a religious exemption for vaccine mandates in 2017 and 2018. In 2019, however, CHOA denied the employee’s request for a religious accommodation and fired him, despite the employee working primarily outside and his position requiring limited interaction with the public or staff the EEOC said.

The EEOC alleged the denial of the vaccine exemption violated Title VII of the Civil Rights Act of 1964, which prohibits firing an employee because of their religion and requires that employers reasonably accommodate the sincerely held religious beliefs of their employees.

Under the consent degree entered in Ciil Action No. 1:22-CV-04953-MLB-RDC in U.S. District Court for the Northern District of Georgia, CHOA will pay $45,000 in monetary damages to the former employee. CHOA will also adjust its influenza vaccine religious exemption policy to presume the exemption eligibility of employees with remote workstations or who otherwise work away from the presence of other employees or patients, and to protect the ability of such employees to seek alternative positions within CHOA if their religious exemption request is denied. The decree further provides that CHOA will train relevant employees on religious accommodation rights under Title VII.

The EEOC announcement of the consent degree alerts employers of the continuing need to use care when handling religious accommodation requests to vaccine or other workplace policies. “ It is the responsibility of an employer to accommodate its employees’ sincerely held religious beliefs,” the announcement quotes Marcus G. Keegan, the regional attorney for the EEOC’s Atlanta District Office. “Unless doing so would require more than a minimal cost, an employer may not deny requested religious accommodations, let alone revoke those previously granted without issue. The EEOC is pleased that the employee has been compensated and that CHOA has agreed to take steps to ensure that it meets its obligation to evaluate religious accommodation requests in a manner consistent with federal law.”

Likewise, the announcement quotes Darrell Graham, district director of the Atlanta office, as saying , “The arbitrary denial of religious accommodations drives religious discrimination in the workplace. The EEOC remains committed to enforcing the laws that protect employees’ religious practices.”

CHOA’s denial of the exemption happened at the height of the COVID-19 pandemic.  Federal COVID – 19 vaccination mandates now are all ended.  While federal mandates initially dictated COVID-19 vaccination as a condition of participation in Medicare by healthcare providers, for government contractors and others, the original mandates were quickly revised to include religious exemption requirements before court rules, agency action and the end of the Pandemic put an end to these mandates. During and after the federal mandates, however, employers were required to negotiate a minefield of competing concerns and potential liabilities when deciding what and how to mandate and enforce safety, leave and other rules without running afoul of employment discrimination and whistleblower claims. See, e.g., EEOC COVID Guidance, Enforcement Highlights Need To Brace For COVID-Related ADA & Other Claims; Texas Private Employer COVID-19 Vaccination Mandates Prohibited Effective February 6, 2024; IRS Warns Of Fraudulent Promotion of COVID Employee Retention Credits; OSHA Enforces Whistleblower Rights Of Worker Terminated For Expressing COVID-19 Safety Concerns; Biden-⁠Harris Administration Ending COVID-⁠19 Vaccination Requirements For Federal Employees, Contractors, International Travelers, Head Start Educators & CMS-Certified Facilities; SCOTUS To Hear Oral Arguments on OSHA COVID-19 Vaccination Rule Enforceability On January 7; COVID-19 Vaccination Rule Injunctions Leave Employers With Significant Liability Challenges Even As OSHA Extends Comment Period on OSHA COVID-19 Vaccine ETS; Manage Heightened Retaliation Exposures Arising From COVID-19 Safety, Return-To-Work & Other Practices

While the federal COVID-19 vaccine mandate is gone, many healthcare and other employers continue to impose mandate requirements with appropriate disability and religious exemptions as part of their workplace safety and patient safety protocols. Additionally, beyond the Covid – 19 vaccination protocols, many workplace vaccination and other rules also can create conflicts with certain religious beliefs that prompt religious accommodation requests.

Employers administering these vaccination, and other policies must keep in mind that the duty to offer religious accommodation and the EEOC emphasis on enforcing accommodation rights for workers whose deeply held religious beliefs conflict with workplace rules lives on. The perils remain, even if the requirement is supported by well, established patient or workplace safety protocols. Employers need to evaluate and be prepared to defend their inability to accommodate the safety and other concerns underlying the workplace mandate against a potential religious discrimination challenge.

Employers must remain diligent in their management of responses to request for accommodations keeping in mind that EEOC COVID-19 – era guidance imposes a heavy burden on an employer to justify its refusal of a request. For this reason, employers that receive a request for religious of accommodation from an employee should seek the advice of experienced legal counsel as soon as possible if any question exists about whether the employer will grant the request. Employers also should ensure their policies clearly communicate the availability of religious and disability accommodation from these other requirements, establish clear protocols for requesting and processing those requests and prohibit and prevent retaliation.

To promote defensibility, employers also should consult with experienced legal counsel about the use of attorney, client, privilege, and other protocols to prevent or minimize the risk that discussions and actions in response to, or following a request for accommodation creates evidence of discrimination or retaliation.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. At her career, she has worked extensively with healthcare and other employers to manage discrimination and other workplace and employee benefit compliance and risks. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Children’s Hospital Pays $45K To Resolve COVID Vaccine Religious Discrimination Suit | Academic Medicine, Accommodation, ADA, Affirmative Action, board of directors, Corporate Compliance, corporate governance, COVID-19, Disability, Disability Discrimination, Discrimination, Diversity, EEOC, employee, Employee Benefits, Employee Handbook, Employer, Employers, Employment, Employment Discrimination, Employment Policies, Employment Termination, health Care, health centers, health plan, Health Plans, HR, Human Resources, Insurance, insurers, Internal Controls, Internal Investigations, Managed Care, religious accommodation, Religious Organization, Religous Discrimination, Risk Management, Worker, Workforce | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

Prepare Feedback! Tri-Agencies Plan To Reopen Surprise Billing Proposed Dispute Resolution Rule Comment Period

December 22, 2023

Got issues with the most recent articulation of the proposed rule on “Federal Independent Dispute Resolution (IDR) Operations” (“Rule”) that governs the independent dispute resolution process for resolving to disputes over out-of-network claims between health plans and heath care providers under the No Surprises Act?

The Departments of Health and Human Services, Labor, and the Treasury (the “Departments”) and the Office of Personnel Management intend to reopen the comment period for submitting comments on the proposed rule “Federal Independent Dispute Resolution (IDR) Operations.”

The announced plan to reopen the comment period on the Proposed Rule follows the Departments’ recent reopening of the dispute resolution portal and announcement of a $115 user fee for providers and health plans participating in the process beginning in February. See No Surprises Act Independent Dispute Resolution Portal Fully Reopened, New Fees Announced; No Surprises Act Dispute Resolution Portal For All Covered Health Claims

Concerned persons should begin preparing comments to submit while awaiting the Departments publication of official notice in the Federal Register of the reopening of the comment period.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

Comments Off on Prepare Feedback! Tri-Agencies Plan To Reopen Surprise Billing Proposed Dispute Resolution Rule Comment Period | compliance, Corporate Compliance, EBSA, Employee Benefits, Employer, Employers, ERISA, Excise Tax, fiduciary duty, Fiduciary Responsibility, health Care, health care transparency, health centers, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, health reform, HR, Human Resources, Insurance, insurers, Internal Revenue Code, Managed Care, self insured health plan, Surprise Billing, third party administrators | Permalink
Posted by Cynthia Marcotte Stamer

IRS Announces 2024 HFSA, MSA, HDHP & Other Tax Inflation Adjustments Impacting 2024 Benefit, Withholding & Other Tax Planning

November 10, 2023

quickly to implement and communicate 2024 health spending account (“HFSA”), high deductible health plan amounts relevant to determining eligibility to contribute to a medical savings account (“MSA”), adoption credit and exclusion limits, and other inflation-adjusted limitations relevant to the annual enrollment, withholding and other year-end tax and benefit planning of workers and their families to assist workers to take into account these adjustments during 2024 benefit enrollment and tax planning. 

The Internal Revenue Service announced the 2024 HFSA, MSA and other a multitude of other adjustments likely to impact 2024 benefit elections, withholding and other tax planning for workers in Rev. Proc. 2023-34  (“Revenue Procedure”) on Thursday, November 9, 2023.

HFSA, HDHP & MSA, Adoption & Other Adjustments Impacting Cafeteria Plan Elections

The Revenue Procedure announces a host of inflation adjustments that could impact employee’s 2024 cafeteria plan and health plan elections.

HFSA Limit. For taxable years beginning in 2024, the dollar limitation under Internal Revenue Code § 125(i) on voluntary employee salary reductions for contributions to health flexible spending arrangements (“HFSAs”) is $3,200.

The $3200 HFSA limit for 2024 is a slight increase from the 2023 limit of $3,050.

If the employer’s plan permits the carryover of unused HFSA amounts, employees can carry over up to $640 in 2024. That is $30 over the 2023 carryover amount of $610.

HDHP. The Revenue Procedure also adjusts the deductible required for a health plan to qualify as a “high deductible health plan” (“HDHP”) for which the Code allows tax preferred contributions to Medical Savings Accounts (“MSAs”). As adjusted in the Revenue Procedure, for taxable years beginning in 2024 the term “high deductible health plan” as defined in § 220(c)(2)(A) means:

  • For self-only coverage, a health plan that has an annual deductible that is not less than $2,800 and not more than $4,150, and under which the annual out-of-pocket expenses required to be paid (other than for premiums) for covered benefits do not exceed $5,550.
  • For family coverage, a health plan that has an annual deductible that is not less than $5,550 and not more than $8,350, and under which the annual out-of-pocket expenses required to be paid (other than for premiums) for covered benefits do not exceed $10,200.

Qualified Small Employer Health Reimbursement Arrangement

For taxable years beginning in 2024, to qualify as a qualified small employer health reimbursement arrangement under § 9831(d), the arrangement must provide that the total amount of payments and reimbursements for  any year cannot exceed $6,150 ($12,450 for family coverage).  

Adoption Assistance Programs & Adoption Credit Limits

For taxable years beginning in 2024, Code § 137(a)(2) caps the amount excludible from an employee’s gross income for the amounts paid or expenses incurred by an employer for qualified adoption expenses furnished pursuant to an adoption assistance program for adoptions by the employee at $16,810, subject to the applicable phase out for taxpayers with adjusted gross income above $252,150.

The amount excludable from an employee’s gross income begins to phase out under § 137(b)(2)(A) for taxpayers with modified adjusted gross income in excess of $252,150 and is completely phased out for taxpayers with modified adjusted gross income of $292,150 or more.

Similarly, for taxable years beginning in 2024, $16,810 is the maximum credit allowed under § 23 for an adoption of a special needs child as well as for other adoptions.  The otherwise available adoption credit begins to phase out under § 23(b)(2)(A) for taxpayers with modified adjusted gross income in excess of $252,150 and is completely phased out for taxpayers with modified adjusted gross income of $292,150 or more.

Child Tax Credit

For taxable years beginning in 2024, the amount used in Code § 24(d)(1)(A) to determine the amount of credit under § 24 that may be refundable is $1,700. .06 Earned Income Credit. (1) In general. For taxable years beginning in 2024, the following amounts are used to determine the earned income credit under § 32(b). The “earned income amount” is the amount of earned income at or above which the maximum amount of the earned income credit is allowed. The “threshold phaseout amount” is the amount of adjusted gross income (or, if greater, earned income) above which the maximum amount of the credit begins to phase out. The “completed phaseout amount” is the amount of adjusted gross income (or, if greater, earned income) at or above which no credit is allowed. The threshold phaseout amounts and the completed phaseout amounts shown in the table below for married taxpayers filing a joint return include the increase provided in § 32(b)(2)(B), as adjusted for inflation for taxable years beginning in 2024. The threshold phaseout amounts and the completed phaseout amounts shown in the table below for taxpayers with all other filing statuses also apply to married taxpayers who are not filing a joint return and satisfy the special rules for separated spouses in § 32(d).

Number of Qualifying Children

ItemOneTwoThree or MoreNone
Earned Income Amount$12,390$17,400$17,400$8,260
Maximum Amount of Credit$4,213$6,960$7,830$632
Threshold Phaseout Amount (Married Filing Jointly)$29,640$29,640$29,640$17,250
Completed Phaseout Amount (Married Filing Jointly)$56,004$62,688$66,819$25,511
Threshold Phaseout Amount (All other filing statuses)$22,720$22,720$22,720$10,330
Completed Phaseout Amount (All other filing statuses)$49,084$55,768$59,899$18,591

For taxable years beginning in 2024:

  • The standard deduction amount for an individual who may be claimed as a dependent by another taxpayer cannot exceed the greater of (1) $1,300, or (2) the sum of $450 and the individual’s earned income; and
  • The additional standard deduction amount for the aged or the blind is $1,550. This additional standard deduction amount is increased to $1,950 if the individual is also unmarried and not a surviving spouse.

Qualified Transportation Fringe Benefit

For taxable years beginning in 2024, the monthly limitation under § 132(f)(2)(A) regarding the aggregate fringe benefit exclusion amount for transportation in a commuter highway vehicle and any transit pass is $315. The monthly limitation under § 132(f)(2)(B) regarding the fringe benefit exclusion amount for qualified parking is $315.

Eligible Long-Term Care Premiums & Periodic Payments

For taxable years beginning in 2024, the limitations under § 213(d)(10), regarding eligible long-term care premiums includible in the term “medical care”, as adjusted for inflation, are as follows:

Attained Age Before the Close of the Taxable YearLimitation on Premiums
40 or less$470
More than 40 but not more than 50$880
More than 50 but not more than 60$1,760
More than 60 but not more than 70$4,710
More than 70$5,880

For calendar year 2024, the stated dollar amount of the per diem limitation under § 7702B(d)(4), regarding periodic payments received under a qualified long-term care insurance contract or periodic payments received under a life insurance contract that are treated as paid by reason of the death of a chronically ill individual, is $410.

2024 Income Tax Tables and Standard Exemption amounts just released by the Internal Revenue Service (“IRS”) may help employees and their families in updating their W-4 withholding and planning certain employee benefit or other elections for 2024.

The updated 2024 Income Tax Rate tables included in Revenue Procedure 2023-34, released by the IRS on October 9, 2023 are as follows:

TABLE 1 – Section 1(j)(2)(A) –Married Individuals Filing Joint Returns and Surviving Spouses

If Taxable Income Is:The Tax Is:
Not over $23,20010% of the taxable income
Over $23,200 but not over $94,300$2,320 plus 12% of the excess over $23,200
Over $94,300 but not over $201,050$10,852 plus 22% of the excess over $94,300
Over $201,050 but not over $383,900$34,337 plus 24% of the excess over $201,050
Over $383,900 but not over $487,450$78,221 plus 32% of the excess over $383,900
Over $487,450 but not over $731,200$111,357 plus 35% of the excess over $487,450
Over $731,200$196,669.50 plus 37% of the excess over $731,200

TABLE 2 – Section 1(j)(2)(B) – Heads of Households

If Taxable Income Is:The Tax Is:
Not over $16,55010% of the taxable income
Over $16,550 but not over $63,100$1,655 plus 12% of the excess over $16,550
Over $63,100 but not over $100,500$7,241 plus 22% of the excess over $63,100
Over $100,500 but not over $191,950$15,469 plus 24% of the excess over $100,500
Over $191,950 but not over $243,700$37,417 plus 32% of the excess over $191,150
Over $243,700 but not over $609,350$53,977 plus 35% of the excess over $243,700
Over $609,350   $181,954.50 plus 37% of  the excess over $609,350

TABLE 3 – Section 1(j)(2)(C) – Unmarried Individuals (other than Surviving Spouses and Heads of Households)

If Taxable Income Is:The Tax Is:
Not over $11,60010% of the taxable income
Over $11,600 but not over $47,150$1,160 plus 12% of the excess over $11,600
Over $47,150 but not over $100,525$5,426 plus 22% of the excess over $47,150
Over $100,525 but not over $191,950$17,168.50 plus 24% of the excess over $100,525
Over $191,950 but not over $243,725$39,110.50 plus 32% of the excess over $191,150
Over $243,725 but not over $609,350$55,678.50 plus 35% of the excess over $243,725
Over $609,350$183,647.25 plus 37% of the excess over $609,350

TABLE 4 – Section 1(j)(2)(D) – Married Individuals Filing Separate Returns

If Taxable Income Is:The Tax Is:
Not over $11,60010% of the taxable income
Over $11,600 but not over $47,150$1,160 plus 12% of the excess over $11,600
Over $47,150 but not over $100,525$5,426 plus 22% of the excess over $47,150
Over $100,525 but not over $191,950$17,168.50 plus 24% of the excess over $100,525
Over $191,950 but not over $243,725$39,110.50 plus 32% of the excess over $191,150
Over $243,725 but not over $365,600$55,678.50 plus 35% of the excess over $243,725
Over $365,600$98,334.75 plus 37% of the excess over $365,600

TABLE 5 – Section 1(j)(2)(E) – Estates and Trusts

If Taxable Income Is:The Tax Is:
Not over $3,10010% of the taxable income
Over $3,100 but not over $11,150$310 plus 24% of the excess over $3,100
Over $11,150 but not over $15,200$2,242 plus 35% of the excess over $11,150
Over $15,200$3,659.50 plus 37% of the excess over $15,200

For taxable years beginning in 2024, $1,300 is the amount used for purposes of § 1(g)(7) to determine whether a parent may elect to include a child’s gross income in the parent’s gross income and to calculate the “kiddie tax.” For example, one of the requirements for the parental election is that a child’s gross income is more than the amount referenced in § 1(g)(4)(A)(ii)(I) but less than 10 times that amount; thus, a child’s gross income for 2024 must be more than $1,300 but less than $13,000.the amount in § 1(g)(4)(A)(ii)(I), which is used to reduce the net unearned income reported on the child’s return that is subject to the “kiddie tax,” is $1,300. This $1,300 amount also is the same as the amount provided in § 63(c)(5)(A), as adjusted for inflation.

Filing StatusStandard Deduction
Married Individuals Filing Joint Returns and
Surviving Spouses (§ 1(j)(2)(A)) Heads of Households
(§ 1(j)(2)(B))		$29,200
Unmarried Individuals (other than Surviving Spouses
and Heads of Households) (§ 1(j)(2)(C))		$21,900
Unmarried Individuals (other than Surviving Spouses and Heads of
Households) (§ 1(j)(2)(C))		$14,600
Married Individuals Filing Separate Returns (§ 1(j)(2)(D))$14,600

For taxable years beginning in 2024, the standard deduction amounts under § 63(c)(2) are as follows:

For More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About The Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation GroupMs. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Ms. Stamer is most widely recognized for her decades-long leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as: 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on IRS Announces 2024 HFSA, MSA, HDHP & Other Tax Inflation Adjustments Impacting 2024 Benefit, Withholding & Other Tax Planning | Cafeteria Plans, Corporate Compliance, Health Plans, Tax | Permalink
Posted by Cynthia Marcotte Stamer

Reviewing Newly Released 2024 Income Tax Tables Helpful For 2024 Benefit & Withholding Planning

November 9, 2023

2024 Income Tax Tables and Standard Exemption amounts just released by the Internal Revenue Service (“IRS”) may help employees and their families in updating their W-4 withholding and planning certain employee benefit or other elections for 2024.

The updated 2024 Income Tax Rate tables included in Revenue Procedure 2023-34, released by the IRS on October 9, 2023 are as follows:

TABLE 1 – Section 1(j)(2)(A) –Married Individuals Filing Joint Returns and Surviving Spouses

If Taxable Income Is:The Tax Is:
Not over $23,20010% of the taxable income
Over $23,200 but not over $94,300$2,320 plus 12% of the excess over $23,200
Over $94,300 but not over $201,050$10,852 plus 22% of the excess over $94,300
Over $201,050 but not over $383,900$34,337 plus 24% of the excess over $201,050
Over $383,900 but not over $487,450$78,221 plus 32% of the excess over $383,900
Over $487,450 but not over $731,200$111,357 plus 35% of the excess over $487,450
Over $731,200$196,669.50 plus 37% of the excess over $731,200

TABLE 2 – Section 1(j)(2)(B) – Heads of Households

If Taxable Income Is:The Tax Is:
Not over $16,55010% of the taxable income
Over $16,550 but not over $63,100$1,655 plus 12% of the excess over $16,550
Over $63,100 but not over $100,500$7,241 plus 22% of the excess over $63,100
Over $100,500 but not over $191,950$15,469 plus 24% of the excess over $100,500
Over $191,950 but not over $243,700$37,417 plus 32% of the excess over $191,150
Over $243,700 but not over $609,350$53,977 plus 35% of the excess over $243,700
Over $609,350   $181,954.50 plus 37% of  the excess over $609,350

TABLE 3 – Section 1(j)(2)(C) – Unmarried Individuals (other than Surviving Spouses and Heads of Households)

If Taxable Income Is:The Tax Is:
Not over $11,60010% of the taxable income
Over $11,600 but not over $47,150$1,160 plus 12% of the excess over $11,600
Over $47,150 but not over $100,525$5,426 plus 22% of the excess over $47,150
Over $100,525 but not over $191,950$17,168.50 plus 24% of the excess over $100,525
Over $191,950 but not over $243,725$39,110.50 plus 32% of the excess over $191,150
Over $243,725 but not over $609,350$55,678.50 plus 35% of the excess over $243,725
Over $609,350$183,647.25 plus 37% of the excess over $609,350

TABLE 4 – Section 1(j)(2)(D) – Married Individuals Filing Separate Returns

If Taxable Income Is:The Tax Is:
Not over $11,60010% of the taxable income
Over $11,600 but not over $47,150$1,160 plus 12% of the excess over $11,600
Over $47,150 but not over $100,525$5,426 plus 22% of the excess over $47,150
Over $100,525 but not over $191,950$17,168.50 plus 24% of the excess over $100,525
Over $191,950 but not over $243,725$39,110.50 plus 32% of the excess over $191,150
Over $243,725 but not over $365,600$55,678.50 plus 35% of the excess over $243,725
Over $365,600$98,334.75 plus 37% of the excess over $365,600

TABLE 5 – Section 1(j)(2)(E) – Estates and Trusts

If Taxable Income Is:The Tax Is:
Not over $3,10010% of the taxable income
Over $3,100 but not over $11,150$310 plus 24% of the excess over $3,100
Over $11,150 but not over $15,200$2,242 plus 35% of the excess over $11,150
Over $15,200$3,659.50 plus 37% of the excess over $15,200

For taxable years beginning in 2024, $1,300 is the amount used for purposes of § 1(g)(7) to determine whether a parent may elect to include a child’s gross income in the parent’s gross income and to calculate the “kiddie tax.” For example, one of the requirements for the parental election is that a child’s gross income is more than the amount referenced in § 1(g)(4)(A)(ii)(I) but less than 10 times that amount; thus, a child’s gross income for 2024 must be more than $1,300 but less than $13,000.the amount in § 1(g)(4)(A)(ii)(I), which is used to reduce the net unearned income reported on the child’s return that is subject to the “kiddie tax,” is $1,300. This $1,300 amount also is the same as the amount provided in § 63(c)(5)(A), as adjusted for inflation.

Filing Status
Standard Deduction
Married Individuals Filing Joint Returns and
Surviving Spouses (§ 1(j)(2)(A)) Heads of Households
(§ 1(j)(2)(B))		$29,200
Unmarried Individuals (other than Surviving Spouses
and Heads of Households) (§ 1(j)(2)(C))		$21,900
Unmarried Individuals (other than Surviving Spouses and Heads of
Households) (§ 1(j)(2)(C))		$14,600
Married Individuals Filing Separate Returns (§ 1(j)(2)(D))$14,600

For taxable years beginning in 2024, the standard deduction amounts under § 63(c)(2) are as follows:

For More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About The Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation GroupMs. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Ms. Stamer is most widely recognized for her decades-long leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as: 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on Reviewing Newly Released 2024 Income Tax Tables Helpful For 2024 Benefit & Withholding Planning | 401(k), 4980D, 4980H, 6039D, Corporate Compliance, Employee Benefits, Employment Tax, Health Plans, Tax, Withholding | Permalink
Posted by Cynthia Marcotte Stamer

IRS Shares Voluntary Correction Program Updates & Tips

October 2, 2023

The Internal Revenue Service (“IRS”) issued a series of updates and tips on the use of the Voluntary Correction Program (“VCP”) to correct eligible defects in qualified employee benefit plans.

Check the Status of your VCP Submission

VCP applicants frequently wonder about the status of their VCP Submission. Applicants may not check if their VCP submission has been assigned to a specialist by comparing the date of the submitter’s confirmation email to the date of the most recent VCP submissions that have been assigned to a specialist at at IRS.gov/VCPstatus.

Revised VCP Model Compliance Statement and Schedules

The IRS updated several fill-in VCP forms to revise outdated information, provide clarity, and make it easier to present some late amender failures that impact 401(a) and 403(b) retirement plans.

Plan sponsors can use the model compliance statement and schedules to make an IRS Voluntary Correction Program (VCP) submission. The model schedules (Forms 14568- A to 14568-I) contain standardized methods plan sponsors can use to correct common mistakes using VCP. 

The IRS recently changed the following fill-in forms:

  • Form 14568, Model VCP Compliance Statement to update enforcement section language;
  • Form 14568-A, Model VCP Compliance Statement – Schedule 1: Plan Document Failures for 403(b) Plans for late amender failures only to provide a framework to present late amender failures that involve IRC 403 plans and standardized descriptions for some very common 403(b) plan document failures;
  • Form 14568-B, Model VCP Compliance Statement – Schedule 2: Nonamender Failures for 401(a) Plans for use only for late amendment failures to group failures pre-approved plans vs individually designed plans and failure descriptions for pre-approved plans to include the latest failures; to provide a framework to present failures involving individually designed plans not timely to comply with the Required Amendments List, or the Cumulative List (prior to 2017) and to allow for legit late interim amendment failures affecting a pre-approved plan to be presented as an “Other” failure in Section I C;
  • Form 14568-C, Model VCP Compliance Statement – Schedule 3: SEPs and SARSEPs is updated to include a direct link to the DOL VFCP calculator and increased to $250 the standardized narrative involving small excess amounts;
  • Form 14568-D, Model VCP Compliance Statement – Schedule 4: SIMPLE IRAs includes an pdated direct link to the DOL’s VFCP calculator and increased to $250 the standardized narrative involving small excess amounts.

No changes have been made to the other forms in the Form 14568 series (Form 14568-E through Form 14568-I).

Interim Guidance on EPCRS: Notice 2023-43

The IRS released guidance in the form of Q&A’s on changes made by the SECURE 2.0 Act to the Employee Plans Compliance Resolution System of voluntary correction programs for retirement plans. Notice 2023-43 provides interim guidance for taxpayers in advance of an update to EPCRS as outlined in Revenue Procedure 2021-30.

For more information on the correction programs available to correct mistakes in your retirement plan, go to IRS.gov/FixMyPlan

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn  Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy Group.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. 

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as: 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on IRS Shares Voluntary Correction Program Updates & Tips | Claims, Claims Administration, compliance, Corporate Compliance, Disability, employee, Employee Benefits, Employer, Employers, ERISA, Fiduciary Responsibility, health plan, Health Plans, HIPAA, Human Resources, Internal Investigations, Professional Liability, Reporting & Disclosure | Tagged: , , | Permalink
Posted by Cynthia Marcotte Stamer

Labor Department Mutual of Omaha Group Companies Warns Insurers, Plans To Timely Decide Insurability In ERISA-Covered Life, Disability & Other Plans

October 2, 2023

Employer and other plan sponsors, administrators, fiduciaries, and insurers of employment-based life and disability insurance programs requiring evidence of good health or other insurability should ensure their administrator or insurer timely makes and notifies participants of any insurability-based limitations or denials on eligibility or coverage in light of a new Department of Labor settlement with United of Omaha Life Insurance Co. (“United”) and United’s parent company — Mutual of Omaha Insurance Co. — and United’s subsidiary, Companion Life Insurance Co. (the “United Companies”) announced September 29, 2023. The settlement sends a strong message to insurers, fiduciaries, administrators and sponsors of life, disability of insurance plans and policies covered by the Employee Retirement Income Security Act of 1974 (“ERISA”) requiring evidence of insurability to ensure their own programs also timely decide and notify participants whether their plans’ insurability requirements are met after receiving enrollment applications.

While the Health Insurance Portability & Accountability Act (“HIPAA”) and Patient Protection & Affordable Care Act (“ACA”) generally prohibit insurability or other evidence of good health requirements in health plans, many ERISA-covered life, disability and other insurance programs continue to condition coverage on evidence of good health or other insurability requirements.

The United settlement requires the United Companies to revise their processes for administering requirements that participants in employer-sponsored life insurance plans provide proof of good health — referred to as evidence of insurability — before obtaining coverage in certain instances.

The settlement resolves a lawsuit filed by the Labor Department after an Employee Benefits Security Administration (“EBSA”) investigation into how United administered proof of good health eligibility requirements in ERISA-covered life insurance plans. The investigation found that United denied numerous claims based on a participant’s failure to provide evidence of insurability after accepting premiums for years without determining if insurability requirements were satisfied.  The delayed determinations caused participants and their beneficiaries to believe they had coverage until after the participant died, United denied claims for benefits on the grounds United never received the participant’s evidence of insurability, leaving beneficiaries without life insurance benefits for which their loved one had paid.

United has advised the department that it has voluntarily reprocessed claims dating back to February 2018 to provide benefits for claims denied based solely on a participant’s failure to provide evidence of insurability. The settlement reached by the Labor Department’s Office of the Solicitor also requires the United Companies to decide insurability within 90 days after it receives a participant’s first premium payment. After the 90-day period expires, the United Companies cannot deny a claim for life insurance benefits for reasons related to evidence of insurability.

The Labor Department’s announcement of the settlement warns the Department stands ready to take similar enforcement action against other group plans that fail to decide insurability promptly and notify applicants promptly following enrollment. For instance, the announcement quotes Assistant Secretary for EBSA Lisa M. Gomez as saying, “The Employee Benefits Security Administration will take appropriate action against insurance companies that collect regular premium payments from plan participants without ensuring up front that participants have satisfied eligibility requirements like insurability, and later cite those requirements to deny benefits after the participant passes away.”

In light of this, and a prior similar enforcement action against another insurer in 2022, all sponsors, fiduciaries, administrators, and insurers of ERISA-covered group life, disability, or other insurance programs requiring insurability should verify the timeliness of insurability determinations made by their programs currently, and within the applicable statute of limitation period for claims.

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn  Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy Group.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. 

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as: 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on Labor Department Mutual of Omaha Group Companies Warns Insurers, Plans To Timely Decide Insurability In ERISA-Covered Life, Disability & Other Plans | Claims, Claims Administration, compliance, Corporate Compliance, Disability, employee, Employee Benefits, Employer, Employers, ERISA, Fiduciary Responsibility, health plan, Health Plans, HIPAA, Human Resources, Internal Investigations, Professional Liability, Reporting & Disclosure | Tagged: , , | Permalink
Posted by Cynthia Marcotte Stamer

$80,000 Penalty Confirms Health Plans Exposure For Violating HIPAA Access Rights

September 15, 2023

An $80,000 penalty paid by UnitedHealthcare Insurance Company (“UHIC”) warns other insurers and other health plans, their fiduciaries and plan sponsors that failing to timely deliver requested protected health information triggers substantial Health Insurance Portability and Accountability Act (HIPAA) fines in addition to Employee Retirement Income Security Act (“ERISA”) Section 502(c) penalties and other related exposures and costs.

HIPAA Right Of Access Rule

The Department of Health & Human Services Office of Civil Rights (“OCR”) recently announced health insurance giant UHIC agreed in a resolution agreement to pay $80,000 to resolve a potential violation HIPAA’s access provision that requires health plans, health care providers and health care clearinghouses (“covered entities”) to provide patients access certain protected health information in a within 30 days of a request. In addition to the $80,000 payment, UHIC agreed to implement a corrective action plan and submit to OCR monitoring for a year.

The HIPAA Privacy Rule generally requires health plans and other covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity after verifying the identity of the person requesting access. This right of access generally applies to all PHI other than:

  • PHI that is not part of a designated record set because the information is not used to make decisions about individuals;
  • Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record;; and
  • Certain information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Even for categories of excluded PHI, however, the right of access rule requires access to the underlying PHI from the individual’s medical or payment records or other records used to generate the excluded records or information remains part of the designated record set and subject to access by the individual.

Where applicable, the right of access requirement includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

The Privacy Rules encourage health plans and other covered entities to offer individuals multiple options for requesting access. Covered entities may offer individuals the option of using electronic means (e.g., e-mail, secure web portal) to request access.  Section 164.524(b)(1) of the Privacy Rule also generally allows a health plan or other covered entity subject to the right of access rule to require individuals to request access in writing, and if use of the covered entity’s form does not create a barrier to or unreasonably delay an individual’s access to his PHI, even to require individuals to use the entity’s own supplied form to make the request. However, the Privacy Rule prohibits health plans and covered entities from imposes unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access.

While the Privacy Rule permits a covered entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information), Privacy Rule Section 164.524(c)(4) limits how much health plans and other covered entities can charge for copies.  The fee may include only the cost of: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; (2) supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media; (3) postage, when the individual requests that the copy, or the summary or explanation, be mailed; and (4) preparation of an explanation or summary of the PHI, if agreed to by the individual.    Section 164.524(c)(4) prohibits a covered entity from including costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not beyond this specifically allowed in the Rule even if such costs are authorized by State law or other federal or state rules.

UHIC & Other OCR Right Of Access Resolution Agreements

Since OCR began enforcing HIPAA, OCR enforcement data has reflected widespread noncompliance by covered entities with the HIPAA right of access rule. In response to this compliance data, OCR since 2019 has prioritized investigation and enforcement of the right of access under its “Right of Access Initiative.” The UHIC resolution agreement announced August 24, 2023 is the forty-fifth Right of Access voluntary settlement and the first Right of Access case enforcement action involving a health plan covered entity announced by OCR under its Right of Access Initiative. All previously announced Right of Access Initiative resolution agreements involved complaints against health care provider covered entities.

The UHIC resolution agreement resolves charges arising from an OCR investigation into a March 2021 complaint that UHIC failed to provide required records in response to an individual’s request for a copy of their protected health information in the plan records. The individual first requested a copy of their records on January 7, 2021, but did not receive the records until July 2021, after OCR initiated its investigation. This was the third complaint OCR received from the complainant against UHIC alleging failures to respond to his right of access. OCR’s investigation determined that UHIC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.

Based on these findings, OCR found UHIC violated the right of access rule. To resolve exposure to potentially more substantial civil monetary sanctions authorized by HIPAA, UHIC agreed in the resolution agreement to pay an $80,000 monetary settlement and implement a corrective action plan that includes one year of monitoring by OCR. UHIC also incurred and is expected to incur substantial legal and other expenses in responding to the investigation, negotiating the resolution agreement, and to fulfill its obligations under the corrective action plan.

When announcing the results of the UHIC investigation and resolution agreement, OCR Director warned other health plans to ensure their right of access compliance. “Timely access to health information is one of the cornerstones of HIPAA. OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement,” said OCR Director, Melanie Fontes Rainer. “Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.”

ERISA Section 502(c) Penalty For Failing To Timely Respond To Member Information Request

Apart for the HIPAA right of access rule, failing to timely respond to member requests for plan information and records also can trigger substantial liability for ERISA-covered health plans and their plan administrators under ERISA.

In addition to the HIPAA Right of Access disclosure obligations ERISA-covered health plans and insurer also generally are required to disclose certain plan information when notifying plan members of adverse benefit determinations and within 30 days of a member’s request. ERISA’s claims and adverse benefit determination rules expressly obligate plan administrators to disclose certain information to plan participants and beneficiaries when providing notification of adverse claims determinations. Additionally, Section 104(b)(4) of ERISA requires plan administrators to provide participants with a copy of certain documents if the participant requests them in writing.

Evidence that an ERISA-covered health plan administrator or insurer violated these requirements when administering claims or other obligations frequently prevent or undermine the defensibility of health plan claim denials against ERISA investigations and participant or beneficiary claims related lawsuits. Beyond these litigation effects, ERISA Section 502(c) authorizes the Employee Benefit Security Administration (“EBSA”) to impose administrative penalties of $110 per day. Concurrently, ERISA Section 502(c) also empowers federal courts in the court’s discretion to hold a plan administrator that fails to provide the participant with information within the  scope of the ERISA disclosure provision after 30 days from the request”, the plan administrator “may be personally liable to that participant or beneficiary for up to $110 a day from the date of such failure or refusal and “the court may in its discretion order “such other relief as it deems proper.”  Both the adverse effects of noncompliance with claims and other disclosure requirements on the defensibility of claims denials and the potential significance of triggering Section 502(c) penalties is illustrated by the federal court’s ruling M.S. v. Premera Blue Cross, 553 F. Supp. 3d 1000 (D. Utah 2021). In addition to the undeniable role disclosure deficiencies played in the court’s decision to overturn the plan administrator’s denial of benefits, the District Court also imposed a statutory penalty of under Section 502(c) of $123,100 ($100 per day from the date of the participant’s first written request through the date of the court’s order finding Premera Blue Cross prejudiced the plan participants by failing to make required disclosures) pending its determination of the damages, attorney’s fees and costs, and equitable relief to award to the participants. The court imposed the Section 502(c) penalty against Premera Blue Cross in its capacity as a third-party administrator contracted with the plan sponsor that the plan documents named as the plan administrator based on the functional exercise by Premera of fiduciary duties in handling the claims and disclosures. It bears noting, however, that employers and others serving in named plan administrator or other fiduciary capacities frequently are held liable for acts or omissions of their contract administrators either by direct orders under ERISA or indirectly pursuant to contractual duties to defend and hold harmless the contract administrator plan vendors providing these services commonly include in administrative services contracts.

Plans Must Assure Timely Access & Disclosure

Health plans and health insurers must provide protected health information as required by HIPAA; plan disclosures required by ERISA. Plan sponsors, fiduciaries and administrators wishing to avoid liabilities for violation of either of these requirements should make the necessary contractual, policy and oversight arrangements to provide for timely delivery. Where administration if these duties is outsourced to an insurer or other service provider, the plan sponsor should serk contractual agreements that the vendor will pay costs and liabilities for untimely delivery and refuse to accept contractual language that might obligate the plan sponsor, plan fiduciaries l, or the plan to pay or reimburse those penalties.

If despite efforts to comply an impermissible delay in delivery happens, the responsible party should contact qualified legal counsel about pursuing prompt correction and other steps to mitigate or resolve exposures.

For More Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn  Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy Group.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. 

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as: 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

Comments Off on $80,000 Penalty Confirms Health Plans Exposure For Violating HIPAA Access Rights | Claims, Claims Administration, compliance, Corporate Compliance, employee, Employee Benefits, Employer, Employers, ERISA, Fiduciary Responsibility, health plan, Health Plans, HIPAA, Human Resources, Internal Investigations, Professional Liability, Reporting & Disclosure | Permalink
Posted by Cynthia Marcotte Stamer

Tri-Agencies Announce New Surprise Billing IDR Fees While Continuing IDR Suspension After Federal Court Ruling

August 11, 2023

Group health plans and individual and group health insurance subject the federal No Surprises Act (“NSA”) are likely to experience continued delays in their ability to finalize certain claims liability determinations and pay providers for health claims submitted for arbitration under the NSA-established Federal Independent Dispute Resolution (“IDR”) medical claims review process as a result of an August 3, 2023 federal court ruling even as the federal agencies responsible for implementing and enforcing those rules announce new fees for seeking IDR dispute resolution under those rules.

The current rules governing the IDR process are defined by regulations implementing the NSA jointly issued by the Department of Health and Human Services (HHS), the Department of Labor (DOL), and the Department of the Treasury (collectively, the “Departments”). These rules define the process for out-of-network providers, facilities, and providers of air ambulance services, and group health plans, health insurance issuers in the individual and group markets, and Federal Employee Health Benefits (“FEHB”) carriers (“disputing parties”) to determine the out-of-network rate for out-of-network emergency services and certain items and services provided by out-of-network providers at in-network facilities and out-of-network air ambulance services under the NSA.

IDR Process Suspended

The IDR process currently is suspended following the August 3 , 2023 ruling by the United States District Court for the Eastern District of Texas in Texas Medical Association v. United States Department of Health and Human Services, Case No. 6:23-cv-59-JDK, vacating certain portions of 45 C.F.R. § 149.510, 26 C.F.R. § 54.9816-8T, and 29 C.F.R. § 2590-716-8, which are parallel provisions governing the Federal IDR.

The Court granted summary judgement on August 3, 2023 to the Texas Medical Association and other provider plaintiffs challenging these federal IDR rules for arbitration of health coverage disputes between payers and providers under the No Surprises Act. The Court agreed with the health care providers that the rules violated federal law by failing to take into account the full range of factors Congress directed be considered when enacting the IRO rules as part of the NSA.

Immediately following the Court’s entry of the order, the Departments temporarily suspended the federal IDR medical claims review process including the ability to initiate new disputes and directed certified IDR entities to pause all IDR-related activities in response an the ruling. As a result of the suspension, the Patient-Provider Dispute Resolution Portal also temporarily ceased accepting new initiated disputes.

When announcing the suspension, the Departments said they would review the court’s decision to evaluate changes to current IDR processes, templates, and system updates necessary to comply with the court’s order. The Departments said they will issue updates to these processes in the near future and will provide specific directions to certified IDR entities for resuming all IDR-related activities in a manner consistent with the court’s judgment and order “soon.” Until then, arbitration of disputes between payers and providers under covered employment based group health plans and individual and group health insurance subject to the law will be delayed.

New IDR Fees Announced Amid Suspension

Despite the suspension, the Departments today (August 11, 2023) jointly published the No Surprises Act (NSA) Independent Dispute Resolution (IDR) Administrative Fee Frequently Asked Questions (FAQs).

The FAQs are not announcing the reopening of the Federal IDR portal to initiate new disputes. Accordingly, the IDR process remains in suspension pending further action by the Departments. In the meantime, however, the FAQs clarify the administrative fee amount that each disputing party will be required to pay to engage in the Federal IDR process when the IDR process suspension resumes as a result of the Texas Medical Association opinion and order.

What To Do Now

For health plans and their sponsors and administrators, for example, delays due to the suspension obviously delay payments to providers as many self-insured health plans, their sponsors, fiduciaries, administrators and stop-loss reinsurers approaching year end. Many stop-loss policies and other funding arrangements limit or exclude coverage for plan claims not paid with the policy period or, if the policy includes run off coverage, that brief period following the policy year end. Delays in payment also could complicate year end underwriting for renewals. Employers and unions, their brokers, administrators, fiduciaries and reinsurers should evaluate, monitor and begin strategizing about their response to these developments to prepare for their upcoming renewals and enrollment seasons.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy Group.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively domestically and internationally with business, government and community leaders to prepare for and deal with pregnancy, disability and other discrimination, leave, health and safety, and other workforce, employee benefit, health care and other operations planning, preparedness and response for more than 35 years. As a part of this work, she regularly advises businesses and government leaders on an on-demand and ongoing basis about preparation of workforce, health care and other business and government policies and practices to deal with management in a wide range of contexts ranging from day to day operations, through times of change and in response to complaints, investigations and enforcement.

Author of a multitude of other highly regarded publications and presentations on MHPAEA and other and health and other benefits, workforce, compliance, workers’ compensation and occupational disease, business disaster and distress and many other topics, Ms. Stamer has worked with health plans, employers, insurers, government leaders and others on these and other health benefit, workforce and performance and other operational and tactical concerns throughout her adult life.

A former lead advisor to the Government of Bolivia on its pension privatization project, Ms. Stamer also has worked domestically and internationally as an advisor to business, community and government leaders on health, severance, disability, pension and other workforce, health care and other reform, as well as regularly advises and defends organizations about the design, administration and defense of their organization’s workforce, employee benefit and compensation, safety, discipline and other management practices and actions.

Board Certified in Labor and Employment Law By the Texas Board of Legal Specialization, Scribe for the ABA JCEB Annual Agency Meeting with OCR, Chair-Elect of the ABA TIPS Medicine and Law Committee, Chair of the ABA International Section Life Sciences Committee, and Past Group Chair and current Welfare Plan Committee Chair of the ABA RPTE Employee Benefits & Other Compensation Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as: 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on Tri-Agencies Announce New Surprise Billing IDR Fees While Continuing IDR Suspension After Federal Court Ruling | Association Health Plan, Claims, Claims Administration, compliance, Corporate Compliance, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, group health plan, health benefit, Health Benefits, health Care, health care transparency, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, health reform, Human Resources, Managed Care, Plan Admistrator, PPO, Surprise Billing, Surprise Billingn, third party administrators, tpa | Permalink
Posted by Cynthia Marcotte Stamer

Surprise Billing IDR Health Plan Dispute Resolution Suspension After Federal Court Ruling Could Impact Plan Renewal Underwriting and Stop-Loss Coverage

August 4, 2023

Group health plans and individual and group health insurance subject the federal No Surprises Act may experience delays in their ability to finalize liability determinations and pay providers for health claims submitted for arbitration under federal surprise billing rules as a result of an August 3, 2023 federal court ruling.

Effective August 3, 2023, the Departments of Health and Human Services Centers for Medicare and Medicaid Services, Department of Labor Employee Benefit Security Administration and Department of Treasury (“Departments”) temporarily suspended the Federal Independent Dispute Resolution (IDR) medical claims review process including the ability to initiate new disputes and directed certified IDR entities to pause all IDR-related activities in response an August 3, 2023, federal court ruling. As a result of the suspension, the Patient-Provider Dispute Resolution Portal also temporarily ceased accepting new initiated disputes.

Earlier in the day, the U.S. District Court for the Eastern District of Texas issued a judgment and order in Texas Medical Association, et al. v. United States Department of Health and Human Services, Case No. 6:23-cv-59-JDK (TMA IV), vacating certain portions of 45 C.F.R. § 149.510, 26 C.F.R. § 54.9816-8T, and 29 C.F.R. § 2590-716-8, which are parallel provisions governing the Federal IDR.

The order of the Court grants summary judgement to the Texas Medical Association and other provider plaintiffs challenge to federal rules for arbitration of health coverage disputes between payers and providers under the No Surprises Act. The Court agreed with the health care providers that the rules violated federal law by failing to take into account the full range of factors Congress directed be considered when enacting the IRO rules as part of the No Surprises Act.

When announcing the suspension, the Departments said currently they are reviewing the court’s decision and evaluating current IDR processes, templates, and system updates necessary to comply with the court’s order. The Departments say they will issue updates in the near future and will provide specific directions to certified IDR entities for resuming all IDR-related activities in a manner consistent with the court’s judgment and order.  

Until then, arbitration of disputes between payers and providers under covered employment based group health plans and individual and group health insurance subject to the law will be delayed.

A lengthy delay in the Departments’ correction of their rules could spell headaches for both payers and providers. Delays in claim resolutions due to the suspension obviously delays determination of plan liabilities can particularly impact self-insured health plans, their sponsors, fiduciaries, administrators and stop-loss reinsurers of plans approaching year end. Many stop-loss policies and other funding arrangements limit or exclude coverage for plan claims not paid with the policy period or, if the policy includes run off coverage, that brief period following the policy year end. Delays in payment also could complicate year end underwriting for renewals. Employers and unions, their brokers, administrators, fiduciaries and reinsurers should evaluate, monitor and begin strategizing about their response to these developments to prepare for their upcoming renewals and enrollment seasons.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively domestically and internationally with business, government and community leaders to prepare for and deal with pregnancy, disability and other discrimination, leave, health and safety, and other workforce, employee benefit, health care and other operations planning, preparedness and response for more than 35 years. As a part of this work, she regularly advises businesses and government leaders on an on-demand and ongoing basis about preparation of workforce, health care and other business and government policies and practices to deal with management in a wide range of contexts ranging from day to day operations, through times of change and in response to complaints, investigations and enforcement.

Author of a multitude of other highly regarded publications and presentations on MHPAEA and other and health and other benefits, workforce, compliance, workers’ compensation and occupational disease, business disaster and distress and many other topics, Ms. Stamer has worked with health plans, employers, insurers, government leaders and others on these and other health benefit, workforce and performance and other operational and tactical concerns throughout her adult life.

A former lead advisor to the Government of Bolivia on its pension privatization project, Ms. Stamer also has worked domestically and internationally as an advisor to business, community and government leaders on health, severance, disability, pension and other workforce, health care and other reform, as well as regularly advises and defends organizations about the design, administration and defense of their organization’s workforce, employee benefit and compensation, safety, discipline and other management practices and actions.

Board Certified in Labor and Employment Law By the Texas Board of Legal Specialization, Scribe for the ABA JCEB Annual Agency Meeting with OCR, Chair-Elect of the ABA TIPS Medicine and Law Committee, Chair of the ABA International Section Life Sciences Committee, and Past Group Chair and current Welfare Plan Committee Chair of the ABA RPTE Employee Benefits & Other Compensation Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as: 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on Surprise Billing IDR Health Plan Dispute Resolution Suspension After Federal Court Ruling Could Impact Plan Renewal Underwriting and Stop-Loss Coverage | Association Health Plan, Claims, Claims Administration, compliance, Corporate Compliance, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, group health plan, health benefit, Health Benefits, health Care, health care transparency, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, health reform, Human Resources, Managed Care, Plan Admistrator, PPO, Surprise Billing, Surprise Billingn, third party administrators, tpa | Permalink
Posted by Cynthia Marcotte Stamer

Businesses Risk Out-Of-State Lawsuits, Regulation From Registering In Consent To Jurisdiction States and Contractual Consents To Jurisdiction

July 17, 2023

Out-of-state employers, insurers, employee benefit plan vendors, and other businesses registered to do business in Pennsylvania, Georgia, Iowa, Kansas, Minnesota, or another state that requires that out-of-state businesses consent to jurisdiction as a condition of their registration to do business in the state face a heightened risk of getting hauled into court in the consent to jurisdiction state following last month’s Supreme Court decision in Mallory v. Norfolk Southern Railway Company, 600 U. S. ____ (2023) even if none of the events giving rise to the lawsuit took place in that state.

The Mallory ruling arose from a state lawsuit filed in Pennsylvania state court seeking damages by Robert Mallory (“Mallory”) to recover damages for cancer the argued was caused by the negligence of his former employer, Norfolk Southern Railroad (“Norfolk”) pursuant to the Federal Employers’ Liability Act workers’ compensation scheme that permits railroad employees to sue for injuries caused by employer negligence. Mallory filed the suit in Pennsylvania, a jurisdiction with no real connection to the claims but noted for its favorability to plaintiffs even though he never worked for Norfolk in Pennsylvania.  Mallory only worked for Norfolk in Ohio and Virginia, was a Virginia resident at the time of the suit, and only briefly lived in Pennsylvania after leaving Norfolk’s employment before returning to live in Virginia. Given the lack of connection of Pennsylvania to the parties and events giving rise to the claim, Virginia-based Norfolk Southern moved for the dismissal of the Pennsylvania lawsuit for lack of the requisite “substantial minimum contacts” generally required to support personal jurisdiction.

While courts generally recognize and enforce contractual agreements by a party to consent to jurisdiction, mere registration of an out-of-state business to do business in a state historically has not been recognized as creating the necessary “substantial minimum contacts” that the Due Process clause of the United States Constitution generally requires exist to provide the general personal jurisdiction that must exist for a state court to possess jurisdiction to decide a lawsuit over the out-of-state business under the Supreme Court precedent first articulated in International Shoe Co. v. Washington, 326 U. S. 310 (1945)

Because Pennsylvania is one of five states that currently requires all out-of-state businesses registering to do business in the State to consent to be sued in the state as a condition of registration, however, Mallory argued and the Supreme Court agreed in Mallory that Norfolk waived its ability to object to personal jurisdiction when it registered to do business in the Commonwealth. 

In Mallory, the Supreme Court Majority ruled that any corporation registered to do business in a state which requires out-of-state businesses to consent to general personal jurisdiction waives its right to assert a Due Process challenge to jurisdiction in that state. Accordingly, businesses registering to do business in a consent-to-jurisdiction registration state should anticipate that their mere registration with the state likely subjects the business to the jurisdiction of courts in that state even if the business has not entered into a contractual agreement to submit to that state’s jurisdiction or otherwise engage in other actions establishing the required substantial minimum contacts to satisfy the International Shoe Due Process standards even if none of the events underlying the lawsuit took place in that state.

Given the Supreme Court’s Mallory decision, businesses should take into account the potential risks of being subjected to out-of-state litigation and regulation anytime the business expands operations into, registers to do business as an out-of-state business or signs an agreement consenting to jurisdiction into a state other than their primary place of business. As evidenced by Mallory, businesses generally should consider and take steps to manage the risks of allowing the creation of jurisdiction against their business in states other than the primary location in which the business operates. Businesses subject to jurisdiction in a state generally become subject to laws, regulations, and lawsuits in that state. Aside from added obligations and costs associated with being subject to the laws of another state and conducting litigation in an unfamiliar state, businesses subject to the jurisdiction of laws in courts in multiple states open the door for opposing parties to strengthen their position by foreign shopping. Like Mallory, disgruntled current or former employees, plan members, or other opposing parties in disputes may choose to file their lawsuit in the state with the laws, rules, or precedent most favorable to their position even where the dispute does not arise out of events occurring in the chosen state.  Along with assessing when their organization may be subject to liability in other states, businesses should review their insurance coverage and applications to ensure that their insurance and other risk management arrangements take into account the added risks and liabilities that could arise from the additional state law jurisdiction. Consequently, businesses choosing to operate, to register to do business in a consent-to-jurisdiction state, or contractually to agree to submit to jurisdiction in any states should be prepared for the possibility that their organization could subject themselves to regulations, lawsuits, investigations and enforcement actions in that state.

More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively domestically and internationally with business, government, and community leaders to prepare for and deal with pregnancy, disability, and other discrimination, leave, health and safety, and other workforce, employee benefit, health care and other operations planning, preparedness and response for more than 35 years. As a part of this work, she regularly advises businesses and government leaders on an on-demand and ongoing basis about the preparation of workforce, health care, and other business and government policies and practices to deal with management in a wide range of contexts ranging from day-to-day operations, through times of crisis or change, and in response to complaints, investigations and enforcement.

Author of a multitude of other highly regarded publications and presentations on MHPAEA and other health and other benefits, workforce, compliance, workers’ compensation and occupational disease, business disaster and distress, and many other topics, Ms. Stamer has worked with health plans, employers, insurers, government leaders and others on these and other health benefit, workforce and performance and other operational and tactical concerns throughout her adult life.

A former lead advisor to the Government of Bolivia on its pension privatization project, Ms. Stamer also has worked domestically and internationally as an advisor to business, community, and government leaders on health, severance, disability, pension, and other workforce, health care and other reform, as well as regularly advises and defends organizations about the design, administration, and defense of their organization’s workforce, employee benefit and compensation, safety, discipline, and other management practices and actions.

Board Certified in Labor and Employment Law By the Texas Board of Legal Specialization, Scribe for the ABA JCEB Annual Agency Meeting with OCR, Chair-Elect of the ABA TIPS Medicine and Law Committee, Chair of the ABA International Section Life Sciences Committee, and Past Group Chair and current Welfare Plan Committee Chair of the ABA RPTE Employee Benefits & Other Compensation Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training, and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls, and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as: 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on Businesses Risk Out-Of-State Lawsuits, Regulation From Registering In Consent To Jurisdiction States and Contractual Consents To Jurisdiction | Age Discrimination, Antitrust, board of directors, Brokers, child labor, Claims, Claims Administration, compensation, compliance, Construction, Corporate Compliance, Disability, Disability Discrimination, Disability Plans, Discrimination, Drug Testing, Emploeyrs, employee, Employee Handbook, Employer, Employment, Employment Discrimination, Employment Termination, enforcement, Fair Labor Standards Act, Family Leave, FLSA, FMLA, Fringe Benefits, health benefit, health insurance, Health Plans, Human Resources, Identity Theft, insurers, Internal Controls, Internal Investigations, Joint Employer, LBGT, Leave, Management, noncompete, occupational safety, OSHA, Wage & Hour, Whistleblower | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Medical Clinic Co-Founder Sentencing & New Charges Filed Against Substance Abuse Clinic Operator Highlight Threat Health Plans Face From Health Plan Fraud Scammers

March 3, 2023

The U.S. District Court for the Western District of Kentucky ordered the co-founder of a that Yesdel Acosta Perez to time served of 14 months in prison and to pay $258,507 in restitution for his role in causing health care clinics he cofounded to bill 15 self-funded health plans for $4.7 million in medical services never provided. The conviction reminds health plans, health care providers and others that fraudulently billing self-insured or other private health plans can result in criminal conviction punishable as felony under multiple provisions of the United States Criminal Code. Acosta Perez’ sentencing coincides with the Justice Department’s announcement of its March 2, 2023 filing of similar criminal charges against the operator of a chain of substance abuse clinics and others for their alleged involvement in millions of dollars of false charges billed to private health plans, Medicare and Medicaid for substance abuse addition treatment not provided.

The conviction and sentencing of Acosta Perez and the newly announced charges against operators of a chain of addiction treatment clinics in Massachusetts and Rhode Island and others for alleged ahealth care fraud aggravated identity theft, money laundering and obstruction in relation to alleged billing of millions of dollars of false charges to private health plans, Medicare and Medicaid for substance abuse treatment by clinics highlight the continuing threat fraudulent actors present for self-insured and other private health plans, Medicare and Medicaid, as well as the potential criminal prosecution and consequences those individuals convicted of these crimes risk from their criminal activity.

Acosta Perez Conviction & Sentencing

The co-founder of Romero Rehabilitation Physical Therapy Inc. and Empire USA Inc. in Louisville and Imaging Group Center Inc. in Atlanta plead guilty to one count of conspiracy to commit healthcare fraud in February, 2023, after the U.S. Department of Labor found the operators collected $258,000 from 15 self-funded healthcare benefit programs for services they never provided based on fraudulent claims made between 2016 and 2018.

In June, 2018, a federal grand jury indicted Acosta Perez and fellow co-founder Eduardo Chinea-Martinez and others on multiple counts of Health Care Fraud in violation of 18 U.S.C. §1347, Theft from a Health Care Benefit Program in violation of 18 U.S.C. §669, Aggravated Identity Theft in violation of 18 U.S 8 U.S.C. §1028A, Money Laundering in violation of 18 U,S,C. §1956, Mail Fraud in violation of 18 U.S.C Chapter 63 and aiding and abetting in the commission of these violations under 18 U.S.C. §1349. billing various healthcare benefit programs through claims administrators Humana, CIGNA and United Healthcare for $4.7 million for services never provided. The U.S. Criminal Code authorized potential sentences of between 10 to 20 years of imprisonment as well as subjected charged defendants to asset forfeiture upon conviction.

The grand jury inditement and subsequent prosecution of Acosta Perz and a fellow co-founder resulted from an Employee Benefit Security Benefit Administration investigation that found that, between May 2015 and January 2016, Acosta Perez and Eduardo Chinea-Martinez co-founded three companies to intentionally defraud various healthcare benefit programs. Investigators also determined Acosta Perez opened bank accounts for the fictitious businesses at JPMorgan Chase Bank, Wells Fargo Bank and Bank of America. Acosta Perez and Chinea-Martinez. The indictment charges that Acosta Perez and Chinea-Martinez misappropriated and used patients’ names, dates of birth, insurance/policy numbers, addresses, and patient IDs/Social Security Numbers, without the patients’ knowledge and names and National Provider Numbers (“NPIs”) from uninvolved doctors without the doctors’ knowledge to create claims for payment by representing these uninvolved doctors and clinics allegedly ordered or performed the services in the false and fraudulent billings submitted by defendants for payment to submit fraudulent claims. The fraudulent claims directed the plans to send payment for the billed services to a Regus virtual office location in Louisville, Kentucky. Acosta Perez then directed Regus via email to forward all mail to Romero Rehabilitation Physical Therapy. According to the indictment, using this process to submit claims for payment for the fraudulent services, Chinea-Martinez and Acosta Perez billed approximately $4,700,000 in fraudulent medical services to the self-insured plans and received payment for $258,000.

In March 2020, the court sentenced Chinea-Martinez to 42 months in prison and three years of supervised release for his part in the scheme. However, before his in June 2018, Acosta Perez fled the U.S. On July 22, 2022, however, the Italian government granted the request of the U.S. for the extradition of Acosta Perez and surrendered him to U.S. authorities. Acosta-Perez was arrested in June 2022.

New Health Care Fraud Charges Against Rhode Island and Massachusetts Addiction Treatment Chain Operators

Acosta-Perez’s sentencing coincides with the Justice Department’s March 2, 2023 announcement of its filing of a host of similar charges in Rhode Island against the operator of a chain of addiction treatment clinics and others for alleged aggravated identity theft, money laundering and obstruction in relation to theft of the identities and other patient and provider information and using their information to file false charges billed to private health plans, Medicare and Medicaid for substance abuse treatment by clinics.

Michael Brier, Mi Ok Bruining and Recovery Connections Centers of America, Inc. (RCCA) are charged in a federal criminal complaint with health care fraud and Michael Brier also is charged with aggravated identity theft, money laundering and obstruction. In addition, the treatment center and its former supervisory counselor were also charged with health care fraud. The Justice Department announcement of these charges reminds readers that its federal criminal complaint is merely an accusation and that the defendants are presumed innocent unless and until proven guilty.

The Justice Department alleges in court documents that, Brier, Bruining, and RCCA shortchanged Rhode Island and Massachusetts substance abuse disorder patients out of much needed counseling and treatment services, while defrauding Medicare, Medicaid, and other health insurers out of millions of dollars.

According to the charging documents, Brier, Bruining and RCCA operated a chain of addiction treatment centers but failed to provide the patients with the required counseling sessions and treatment, while simultaneous billing Medicare, Medicaid and other health care payors for 45-minute counseling sessions on a routine basis even though the sessions were not more than 15 minutes, and often only 5-10 minutes or less.  At times, so many counseling sessions were billed at this level that the total amount of time would be impossible for the available therapist to have provided in any 24 hours period. 

Brier and RCCA are also alleged to have caused a fraudulent application to be submitted to Medicare which, among other things, misrepresented and concealed the role that Brier was playing in the business and failed to disclose Brier’s 2013 criminal conviction for federal tax crimes, which was relevant to Medicare’s consideration of the application. 

The Complaint also alleges that Brier purported to practice medicine and wrote and caused to be filled fraudulent prescriptions using the names and prescriber information, including Drug Enforcement Administration numbers, of doctors without their permission.

Brier is also alleged to have falsified a document in a matter within the jurisdiction of an agency of the United States by causing the Medical Director to sign a false and back-dated document.

The complaint alleges that defendants caused millions of dollars in fraudulent billings to be submitted to Medicare and millions more in fraudulent billings to other health care payors. The government is also seeking to forfeit thirteen bank accounts, two buildings, and two vehicles allegedly realized by the defendants as a result of the alleged criminal conduct.

The two prosecutions highlight the continuing challenge health plans and other health care payers face from fraudulent claims submitted by criminal actors intent on deliberately defrauding health plans through schemes to knowingly defraud plans by creating and filing false claims. Health plans and their fiduciaries and administrators should be vigilant in their efforts to identify and protect their health benefit programs against these schemes and if victimized or presented with evidence of these schemes, should work with experienced legal counsel to prudently investigate these concerns and report relevant findings to the EBSA, the Department of Justice Health Care Fraud Task Force or both.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer’s work throughout her 35 year career has focused heavily on working with employer and other staffing and workforce organizations, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends businesses on FLSA, CAS, SCA, Davis-Bacon, Equal Pay Act and other wage and hour, compensation and benefit and other Human Resources, Guideline Program and other compliance, risk management and other internal and external controls in a wide range of areas and has published and spoken extensively on these concerns.

Ms. Stamer also is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on workforce, compensation, and other operations, risk management, compliance and regulatory and public affairs concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving, and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Medical Clinic Co-Founder Sentencing & New Charges Filed Against Substance Abuse Clinic Operator Highlight Threat Health Plans Face From Health Plan Fraud Scammers | Claims, Claims Administration, Corporate Compliance, ERISA, Health Care Fraud, Health Plans | Permalink
Posted by Cynthia Marcotte Stamer

Updated Form 5500s and Instructions Released

February 24, 2023

The U.S. Department of Labor Employee Benefits Security Administration, the Internal Revenue Service (“IRS”) and the Pension Benefit Guaranty Corporation (“PBGC”) announcing changes to the 2023 Form 5500 Annual Return/Report of Employee Benefit Plan and Form 5500-SF Short Form in February 23.

The “Phase III” announcement released this week are set forth in the following:

The Phase III announcement implements the third and final phase of implementation of a September, 2021 regulatory proposal, which included changes related to provisions in the Setting Every Community Up for Retirement Enforcement Act, commonly known as the SECURE Act, which affected annual reporting requirements under the Employee Retirement Income Security Act and the Internal Revenue Code.

The first two phases of implementation included publication of Federal Register notices in December 2021 for Phase I and May 2022 for Phase II, respectively, to adopt changes for the 2021 and 2022 Form 5500 Returns/Reports. 

The Phase III announcement features a Notice of Final Forms Revisions from the EBSA, IRS and PBGC for the 2023 plan year forms and instructions and a Notice of Final Rulemaking by the department that makes corresponding changes to annual reporting regulations under Title I of ERISA. 

The 2023 plan year reports – which generally will be filed beginning in July 2024 for calendar year plans – include the following changes: 

  • A consolidated Form 5500 reporting option for certain groups of defined contribution retirement plans, improved reporting by pooled employer plans and other multiple employer plans. 
  • A change in the participant-counting methodology for determining eligibility for simplified reporting alternatives available to “small plans,” which are generally plans with fewer than 100 participants. 
  • A breakout of reporting on administrative expenses paid by the plan on the plan’s financial statements.
  • Further improvements in financial and funding reporting by PBGC-covered defined benefit plans.
  • The addition of selected Internal Revenue Code compliance questions to improve tax oversight and compliance of tax-qualified retirement plans.  
  • Technical and conforming changes as part of the annual rollover of forms and instructions.

Additionally, technical adjustments were made to the Federal Register notices to address certain provisions in SECURE Act 2.0 of 2022 on Code section 403(b) multiple employer plans, including pooled employer plans, minimum required distributions and audit requirements for plans in defined contribution group reporting arrangements.

The Federal Register notices, Document #2023-02653 for the Notice of Final Forms Revision and Document #2023-02652 for Notice of Final Rulemaking, also include appendices that describe the changes to the forms and instructions as well as a regulatory impact and paperwork burden analyses. A more detailed summary of the annual reporting changes is included in a fact sheet posted on the department’s website today. Mock-ups of the forms and instructions will be available at reginfo.gov as part of the Paperwork Reduction Act clearance process. The release of “for information-only” copies of the forms and instructions will happen later in 2023.

More Information

When investigating and responding to a violation, it is critically important to document the timing and details of the discovery of a potentially concern

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer’s work throughout her 35 year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends businesses on Guideline Program and other compliance, risk management and other internal and external controls in a wide range of areas and has published and spoken extensively on these concerns.

Ms. Stamer also is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on workforce, compensation, and other operations, risk management, compliance and regulatory and public affairs concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving, and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Updated Form 5500s and Instructions Released | compliance, Corporate Compliance, Defined Benefit Plans, Defined Contribution Plans, EBSA, Emploeyrs, employee, Employee Benefits, Employer, Employers, ERISA, ESOP, Form 5500, health plan, Health Plans, multiple employer plan (Meps), Retirement Plans, Retirements, third party administrators | Permalink
Posted by Cynthia Marcotte Stamer

$1.25 Million Cybersecurity Breach Settlement & Other Heightening Enforcement Warn Health Plans & Others To Fix Cybersecurity

February 4, 2023

Phoenix-based nonprofit health system Banner Health and its affiliates (“Banner Health”) paid $1.25 million and agreed to take corrective actions to resolve its exposure to potentially much greater Health Insurance Portability and Accountability Act (HIPAA) Security Rule civil monetary penalty exposure for a 2016 cyber hacking breach that compromised the person health information of 2.81 million consumers. OCR used its February 2 announcement of the Banner Health settlement to warn health plans, health care providers, health care clearing houses (“covered entities”) and business associates covered by HIPAA to guard their own system containing protected health information against breach by cyber hacking even as the Department of Labor and other agencies are stepping up their cybersecurity rules, oversight and enforcement.

Banner Health Settlement

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona, and one of the largest in northern Colorado. 

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions.  The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically. 

Under the Resolution Agreement and Corrective Action Plan negotiated to resolve these potential violations, Banner Health paid $1,250,000 to OCR. Banner Health also agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Under the corrective action plan, Banner has agreed to take the following steps:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
  • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
  • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
  • Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

OCR Warns Other HIPAA-Covered Entities

In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. OCR’sannouncement of the serrlement reports 74 percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents.

The announcement also notes OCR offers an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules, 

The settlement and OCR’s announcement warn other covered entities and business associates to use these and other necessary resources to protect their systems with protected health information from cyber hacking and other breaches.

In conjunction with reminding other covered entities of these resources, the settlement announcement quotes OCR Director Melanie Fontes Rainer as warning, ‘Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals, … It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. … Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

OCR’s enforcement record confirms these are not idyl threats. Breaches of the Security or Breach Notification Rules often result in significant civil monetary penalty assessments or negotiated settlements to mitigate civil liability exposures arising out of such breaches. See e.g.,  Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches(October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020). 

Alerts issued by OCR regarding heightened security risks in recent months and a growing tide of highly publicized breaches send a strong warning to other covered entities and their business associates to reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections by among other things:

  • Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
  • Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
  • Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
  • Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
  • Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected 
    violations or other indicia of potential security concerns.
  • Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
  • Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
  • Establishing and providing well-documented timely investigation and redress of reported 
    violations or other compliance concerns.
  • Establishing contingency plans for responding in the event of a breach. 
  • Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
  • Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
  • Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Beyond these HIPAA exposures, breaches and other HIPAA noncompliance carries other liability risks. Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders.  For instance, the Department of Health & Human Services has warned health care providers participating in Medicare or other federal programs and Medicare Advantage health plans that HIPAA compliance is a program term of participation. 

Health care providers and health insurers can face liability under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards. 

Health plans also face a myriad of other exposures from failing to use appropriate cyber safeguards. Plan fiduciaries of employment based health plans covered by the Employee Retirement Income Security Act (“ERISA”} risk liability under ERISA’s fiduciary responsibility rules. The Department of Labor Employee Benefit Security Administration (“EBSA”) now audits the adequacy of the cybersecurity and other HIPAA compliance of health plans and their third party administrators and other business associates as part of EBSA’s oversight and enforcement of ERISA. Department of Labor Assistant Secretary for EBSA Lisa Gomez confirmed audit and enforcement of cybersecurity obligations is a key priority in EBSA’s current work plan in her February 4, 2023 comments to the American bar Association.

Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other public companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations.

Furthermore, appropriate cyber security practices also may be advisable elements for organizations to include in their Federal Sentencing Guideline Compliance Programs to mitigate potential organization liability risks under federal electronic crime and related laws. 

In the face of these risks and warnings, all covered entities and their business associates should reassess and confirm the adequacy of their and their business associates’ cyber security defenses and breach response preparations.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health, health plan and managed care industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 35 year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends HIPAA covered entities, business associates and other organizations on HIPAA and other cyber, privacy and data security concerns and has published and spoken extensively on these concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on $1.25 Million Cybersecurity Breach Settlement & Other Heightening Enforcement Warn Health Plans & Others To Fix Cybersecurity | Association Health Plan, Civil Monetary Penalties, Corporate Compliance, Cybercrime, Cybersecurity, Data Breach, Data Security, Electronic Medical Record, Emploeyrs, employee, Employee Benefits, Employer, Employers, Federal Sentencing Guidelines, FTC, Government Contractors, government employer, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, Health IT, health plan, Health Plans, HIPAA, HR, Human Resources, insurers, Internal Controls, Internal Investigations, Managed Care, Mental Health, pbm, Personal Health Records, Personal Health Recordss, pharmacy, Physician, Plan Admistrator, PPO, Professional Liability, Protected Health Information, Provider, provider contracting, Retaliation | Permalink
Posted by Cynthia Marcotte Stamer

DOJ Withdrawal of “Outdated” Health Care Antitrust Policies Leaves Federal Health Industry Competition & Antitrust Policy Ambiguous

February 3, 2023

With health industry consolidation and competition continuing to draw public and lawmaker scrutiny, the Department of Justice Antitrust Division today (February 3, 2022) signaled the Biden Administration plans to redirect health care antitrust policy by withdrawing three healthcare antitrust policy statements it says are outdated.

The withdrawn policy statements are three statements of antitrust principles adopted more than a decade ago by the DOJ and Federal Trade Commission (“FTC”) defining the agencies principles for interpreting and enforcing antitrust law in the healthcare industry:

The withdrawal of the statements follows growing activity by DOJ in challenging certain other health industry conduct as anticompetitive under Fdderal antitrust laws in recent years as well as new policies challenging noncompetition and other workforce practices used widely within the health care industry. (These developments were discussed in a September, 2022 Joint Committee on Employee Benefits webinar on Department of Justice Enforcement Update webinar moderated by Cynthia Marcotte Stamer.)

Following an uptake in DOJ health care and workforce antitrust enforcement in recent years, the announcement of the antitrust statement withdrawals confirms the Biden Administration led DOJ plans changes to care antitrust and other competition policies and enforcement impacting health care providers, payers, employers and other plan sponsors. In lieu of the principles previously provided by the withdrawn guidelines, DOJ says it will evaluate mergers and conduct in healthcare markets that may harm competition on the case-by-case basis. The announced plan to interpret antitrust law in health care on a case by case basis creates significant uncertainty about the scope of risk and safety of many contracting, business transaction and other activities in the health care industry. All segments of the marketplace should monitor developments and proceed cautiously to avoid inadvertently triggering challenges or liability as a result of the newly created ambiguity. 

While employers, providers and others concerned about market power and consolidation among pharmacy benefit management companies (“PBMs”), mega healthcare systems and large health insurers are likely to welcome news of DOJ’s plan to update its policies and enforcement to reflect new market realities, DOJ’s announced plan to proceed on a case-by-case basis raises significant questions about the market participants and practices that will benefit or suffer under this new but undefined policy. Consequently, employer and other health plan sponsors, health industry providers, payers, and others concerned about health industry competition should proceed cautiously and carefully monitor developments at DOJ and FTC. Stay tuned for further developments.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her work has included ongoing involvement in health industry and workforce competition and antitrust issues. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on DOJ Withdrawal of “Outdated” Health Care Antitrust Policies Leaves Federal Health Industry Competition & Antitrust Policy Ambiguous | Antitrust, compliance, conflict of interest, Corporate Compliance, corporate governance, Emploeyrs, Employee Benefits, Employer, Employers, group health plan, health benefit, Health Benefits, Health Industry Consolidation, health plan, Health Plans, Managed Care, pbm | Permalink
Posted by Cynthia Marcotte Stamer

Attorney Filer of ADA Lawsuits Pleads Guilty to Filing False Tax Returns For Not Reporting Disability Lawsuit Settlement Income

November 29, 2022

A California attorney known for his filing of thousands of disability discrimination lawsuits under the Americans with Disabilities Act of 1990 (“ADA”) with himself as the plaintiff plead guilty November 29 to filing a false tax return on which he underreported the income he earned from many of those lawsuits. Aside from the enjoyment many businesses victimized by the defendant’s or other similar disability lawsuits may experience over seeing the defendant get his own comeuppance, the prosecution and the plea also provide important reminders for businesses paying ADA or other settlements to applicants or former employees.

According to court documents and statements made in court, Scott Norris Johnson owned and operated Disabled Access Prevents Injury Inc (DAPI), a legal services corporation. A quadriplegic and an attorney, Johnson filed more than 4,000 lawsuits in the Eastern District of California and elsewhere under the ADA and related California statutes, naming himself as the plaintiff against businesses he claimed were not in compliance with state and federal disability access laws first using DAPI, and later a law firm,

Under the Small Business Job Protection Act of 1996, payments related to lawsuit settlements or awards are taxable unless paid on account of personal physical injury or physical sickness. Johnson, who worked as an attorney at the Internal Revenue Service (“IRS”) earlier in his career, was required to report the taxable portion of the lawsuit settlements and awards he received. He nonetheless intentionally underreported this income on his 2012, 2013, and 2014 tax returns. By understating the lawsuit settlements and awards, Johnson and DAPI paid little to no income tax for tax years 2012, 2013 and 2014. Johnson caused a loss to the IRS of more than $250,000.

Johnson is scheduled to be sentenced on March 7, 2023, and faces a maximum penalty of three years in prison for filing a false tax return. He also faces also faces a period of supervised release, restitution, and monetary penalties. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

The prosecution and subsequent plea highlight the taxability of disability and certain other settlements and the willingness of the Justice Department and IRS to prosecute individuals and businesses failing to fulfill obligations to recognize and report those payments as income for federal tax purposes.

Businesses and their legal counsel entering into settlements or otherwise making payments to employees or applicants under the ADA or other taxable settlements generally should use care to properly report taxable amounts as income to the recipient. For payments made pursuant to a settlement agreement, the settlement agreement generally should provide both that the employer is authorized to deduct and withhold amounts the employer believes may be due from the employee for taxes as well as obligate the employee to report and pay any additional taxes due on the payment.

Obviously, the business also needs to ensure it properly reports and pays its required share of any employment taxes on the payments. Employees should confirm the current tax rules prior to making any agreement or payment to avoid mistakes.

Businesses also should keep in mind many other developments could impact the interpretation and enforcement of settlements and their resulting responsibilities. Changes to trade secret, noncompete, arbitration, voluntariness and other requirements for release of claims, arbitration, scope of release and other developments could materially affect the effectiveness of previously used settlement language. Wise business leaders will seek qualified legal advice and assistance with their settlements.

For Help With Comments, Investigations Or Other Needs

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance related concerns, please contact management attorney and consultant Cynthia Marcotte Stamer.

An attorney Board Certified in Labor & Employment Law by Texas Board of Legal Specialization, Ms. Stamer is recognized for work helping organizations management people, operations and risk as  a Fellow in the American College of Employee Benefit Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law.”

For 35 years, Ms. Stamer’s work has focused on advising and assisting businesses and business leaders with these and other employment and other staffing, employee benefit, compensation, risk, performance and compliance management and other operational solutions and concerns. Her experience includes helping management both manage performance and manage legal risk and compliance.  While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, leave, and other labor and employment laws, advises and defends businesses against labor and employment, employee benefit, compensation, fraud and other regulatory compliance and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor, Department of Justice, SEC,  Federal Trade Commission, HUD, HHS, DOD, Departments of Insurance, and other federal and state regulators. Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see hereor contact Ms. Stamer directly.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources available including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.  If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

NOTICE: These materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice, a substitute for legal advice, an offer or commitment to provide legal advice or an admission. The information and statements in these materials may not address all relevant issues or apply to any situation or circumstances.  The author reserves the right to qualify or retract any of these statements at any time. and does not necessarily address all relevant issues. Because the law evolves and in ways that subsequent developments could impact the currency and completeness of this discussion. The author disclaims and has no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2022 Cynthia Marcotte Stamer. Nonexclusive right to republish granted to Solutions Law Press, Inc. All rights reserved.

Comments Off on Attorney Filer of ADA Lawsuits Pleads Guilty to Filing False Tax Returns For Not Reporting Disability Lawsuit Settlement Income | ADA, Corporate Compliance, Employer, Employers, government employer, health Care, Health Plans, Mental Health, Mental Health Parity, Public Policy | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

Proposed Changes To Substance Abuse Confidentiality Rules Could Create New Burdens For Employers & Health Plans

November 28, 2022

January 30 Deadline To Comment On HHS’ Proposed Changes To Substance Use Confidentiality Rules

Employers, their health plans and issuers, substance abuse, mental health and other healthcare providers, health care professional associations, consumer advocates, community organizations, state and local government entities, patients and caregivers and others concerned with mental health and substance abuse treatment and management should review and comment by January 30, 2023 on proposed changes to rules on unauthorized disclosures the Confidentiality of Substance Use Disorder (SUD) Patient Records under 42 CFR part 2 (“Part 2”) proposed by the U.S. Health and Human Services Department Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) in a Notice of Proposed Rulemaking (NPRM) made public November 28, 2022 here and scheduled for publication in the December 2, 2022 Federal Register. In addition to obvious implications for health care providers and health plans, the proposed changes are likely to impact both the confidentiality requirements for employer-sponsored and other health benefit programs, as well as the ability and responsibilities of businesses seeking to access or use information about prior substance use and abuse in their workplaces or for other legitimate purposes.

Proposed Changes To Substance Abuse Confidentiality Rules

On November 28, 2022, OCR and SAMHSA issued the NPRM to revise the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR part 2 (“Part 2”), which seek to address concerns that concerns about discrimination or prosecution might deter people from entering treatment for SUD by protecting “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”(“SUD Records”).

Currently, the Part 2 protections of patient privacy and records concerning treatment related to substance use challenges from unauthorized disclosures differ from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules (“HIPAA”) rules.  These distinctions reportedly create barriers to information sharing by patients and among health care providers and create dual obligations and compliance challenges for regulated entities. To address this concern, Congress mandated in Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) that HHS to bring Part 2 into greater alignment with certain aspects of the HIPAA Privacy rule.

The NPRM seeks to address the CARES Act mandate as Americans and their leaders struggle to continue to provide pathways for victims of substance abuse and other mental health challenges to pursue treatment and maximize their participation and enjoyment in our communities while addressing safety concerns about a growing series of rare but notorious acts of violence committed by certain inadequately diagnosed or managed victims of mental health or substance abuse.  See, e.g., Fact Sheet: President Biden To Announce Strategy To Address Our National Mental Health Crisis, As Part Of Unity Agenda In His First State Of The Union; President Biden Releases National Drug Control Strategy to Save Lives, Expand Treatment, and Disrupt Trafficking; Actions Taken by the Biden-⁠Harris Administration to Address Addiction and the Overdose Epidemic; Colorado Springs LGBT Nightclub Shooting Leaves Five Dead and 25 Injured; Virginia Walmart Shooting Gunman “Was Picking People Out,” Witness Says; Opinion: Leaders Blamed the Uvalde Shooting on a Mental Health Crisis. Gun Violence Is Making That Crisis Worse; Nancy Pelosi Husband Attack Suspect David Depape Pleads Not Guilty To Federal Charges.

Amid these challenges, the NPRM proposes to implement this CARES Act mandate through the following changes to Part 2 that HHS says will help safeguard the health and outcomes of individuals with SUD while creating greater flexibility for information sharing envisioned by Congress in its passage of Section 3221 of the CARES Act: 

  • Permit Part 2 programs to use and disclose Part 2 records based on a single prior consent signed by the patient for all future uses and disclosures for treatment, payment, and health care operations;
  • Permit the redisclosure of Part 2 records as permitted by the HIPAA Privacy Rule by recipients that are Part 2 programs, HIPAA covered entities, and business associates, with certain exceptions;
  • Expand prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, or legislative proceedings conducted by a federal, state, or local authority against a patient, absent a court order or the consent of the patient;
  • Create two patient rights under Part 2 that align with individual rights under the HIPAA Privacy Rule:
    • Right to an accounting of disclosures; and
    • Right to request restrictions on disclosures for treatment, payment, and health care operations;
  • Require disclosures to the Secretary for enforcement;
  • Apply HIPAA and HITECH Act civil and criminal penalties to Part 2 violations;
  • Require Part 2 programs to establish a process to receive complaints of Part 2 violations;
  • Prohibit Part 2 programs from taking adverse action against patients who file complaints;
  • Prohibit Part 2 programs from requiring patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services;
  • Apply the standards in the HITECH Act and the HIPAA Breach Notification Rule to breaches of Part 2 records by Part 2 programs;
  • Modify the Part 2 confidentiality notice requirements (“Patient Notice”) to align with the HIPAA Notice of Privacy Practices;
  • Modify the HIPAA Notice of Privacy Practices requirements for covered entities who receive or maintain Part 2 records to include a provision limiting redisclosure of Part 2 records for legal proceedings according to the Part 2 standards; and
  • Permit investigative agencies to apply for a court order to use or disclose Part 2 records after they unknowingly receive Part 2 records while investigating or prosecuting a Part 2 program, when certain preconditions are met.

While the Department is undertaking this rulemaking, the current Part 2 regulations remain in effect.  However, once the comment period ends, the Biden Administration-led HHS is expected to finalize the proposed changes quickly.  Consequently, in addition to sharing any concerns or other input about the proposed changes during the comment period, health care providers, health plans, health care clearinghouses, employers, community agencies, state and local governments, patients and other caregivers and other concerned parties also should begin planning and preparing to respond to the anticipated changes in the requirements. 

Implications For Businesses & Their Health Plans

Businesses should carefully assess the potential implications of the proposed changes on their worker and vendor credentialing and workplace safety practices as well as their health and other benefit programs. Assuming the changes are adopted in their current form, businesses sponsoring health benefit programs generally, and health care organizations and providers specifically should prepare to modify their HIPAA required notices of privacy practices and associated practices to comply with the proposed updates.

Businesses required to comply with Department of Transportation Drug Free Workplace or other alcohol and substance abuse requirements also should consider the potential implications of the proposed changes on their ability to secure relevant substance abuse treatment and related history. In assessing these implications, businesses also should be cognizant of a new proactivity on behalf of certain uses of drugs by workers in the workplace under the Americans With Disabilities Act (“ADA”). For instance, the EEOC recently has sued Eagle Marine Services Electrical & Refrigeration, LLC for allegedly violating the ADA by refusing to hire or accommodate a worker because he used medication prescribed by his doctor to treat attention deficit hyperactivity disorder (“ADHD”) without making any individual assessment of the worker’s medication use or whether it would affect his ability to safely perform the marine electrician position, and instead relied on general stereotypes about disability and medication use to justify its decision not to hire him. Businesses seeking to investigate or deny employment opportunities to workers based on the worker’s past or current medication use will want to use care to ensure that their practices are tailored to defend against similar challenges.

Health plan sponsors and insurers also should assure their mental health and substance abuse treatment coverage documents and practices are defensible under the latest mental health and substance abuse parity mandates of the Mental Health Parity and Addiction Equity Act (MHPAEA) and coverage requirements of the Patient Protection and Affordable Care Act (“ACA”). Along with a host of statutory changes since the original parity mandates took effect, implementing regulations and guidance about non-qualitative limitations and exclusions and heightened agency enforcement are ramping up enforcement and liability risks. In addition to exposing the health plan administrators and other fiduciaries to potential claims denial or fiduciary responsibility claims brought by participants or beneficiaries, the Department of Labor or both, administrative penalties by the EBSA, or both, the MHPAEA mental health and substance abuse parity rules are among 40 federal mandates that when violated can trigger the automatic $100 per violation per day employer excise tax penalty under Internal Revenue Code Section 6039D. As a consequence, violations of the MHPAEA are particularly risky and potentially expensive for private employers, their health plans and the plan administrators and fiduciaries that administer it.

For Help With Comments, Investigations Or Other Needs

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance related concerns, please contact management attorney and consultant Cynthia Marcotte Stamer.

An attorney Board Certified in Labor & Employment Law by Texas Board of Legal Specialization, Ms. Stamer is recognized for work helping organizations management people, operations and risk as  a Fellow in the American College of Employee Benefit Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law.”

For 35 years, Ms. Stamer’s work has focused on advising and assisting businesses and business leaders with these and other employment and other staffing, employee benefit, compensation, risk, performance and compliance management and other operational solutions and concerns. Her experience includes helping management both manage performance and manage legal risk and compliance.  While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, leave, and other labor and employment laws, advises and defends businesses against labor and employment, employee benefit, compensation, fraud and other regulatory compliance and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor, Department of Justice, SEC,  Federal Trade Commission, HUD, HHS, DOD, Departments of Insurance, and other federal and state regulators. Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see hereor contact Ms. Stamer directly.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources available including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.  If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

NOTICE: These materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice, a substitute for legal advice, an offer or commitment to provide legal advice or an admission. The information and statements in these materials may not address all relevant issues or apply to any situation or circumstances.  The author reserves the right to qualify or retract any of these statements at any time. and does not necessarily address all relevant issues. Because the law evolves and in ways that subsequent developments could impact the currency and completeness of this discussion. The author disclaims and has no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2022 Cynthia Marcotte Stamer. Nonexclusive right to republish granted to Solutions Law Press, Inc. All rights reserved.

Comments Off on Proposed Changes To Substance Abuse Confidentiality Rules Could Create New Burdens For Employers & Health Plans | ADA, Corporate Compliance, Employer, Employers, government employer, health Care, Health Plans, Mental Health, Mental Health Parity, Public Policy | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Eased Opiate Prescription Guidelines Could Impact Employers & Health Plans

November 3, 2022

The Centers for Disease Control released updated opiate prescription guidance today, loosening restrictions on prescription of the pain management narcotics under certain conditions.

Ironically the new guidance loosening opiate prescription guidelines comes on the heels of the announcement yesterday of sellements of opiate litigation against CVS and Walgreens brought by multiple states’ seeking to recover states’ costs arising from citizens ‘ addicted to opiates.

Guideline changes are likely to implicate prescribing practices as well as some prescription drug coverages, as well as electronic recordkeeping and prescribing systems.

Among other things, depending on the plan design, the revised restrictions may have implications for prescription drug coverage design and practices. Easing availability even under these new standards also likely will increase access, creating additional concerns for employers and plans about addiction and associated costs. The introduction of potential opportunities for addiction raises particular concerns for health plans and their sponsors because of federal healthcare parity mandates for mental health and substance abuse coverage as well as Biden Administration recently announced expanded expectations of employers to provide accommodation and other changes to welcome individuals impacted by substance-abuse into their workplaces.

Slay tuned for more details about the new guidelines and other health care and life sciences relevant developments. 

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Eased Opiate Prescription Guidelines Could Impact Employers & Health Plans | Corporate Compliance, EEOC, GINA, health plan, Health Plans, Mental Health, Mental Health Parity, Prescription Drugs | Permalink
Posted by Cynthia Marcotte Stamer

ADA May Require Employers To Accommodate Employees Testing Positive For Legally Prescribed Medications

September 22, 2022

A new Equal Employment Opportunity Commission (“EEOC”) lawsuit that refusing to hire an applicant for testing positive for legally prescribed medications could violate the Americans With Disabilities Act (“ADA”) under certain circumstances.

The EEOC is suing the Princess Martha senior living residence owned and managed by TJM Properties for allegedly violating the ADA by revoking an applicant’s job offer because of her disability, in a lawsuit filed yesterday.

According to the lawsuit, the applicant, a veteran who suffers from post-traumatic stress disorder (PTSD), received an offer of employment from Princess Martha conditioned upon a negative drug test. During her interview, the applicant informed her interviewer she was diagnosed with PTSD and was required to take legally-prescribed medications that would cause her drug test to fail. The applicant subsequently took the drug test and received a “non-negative” result. A few days after taking the drug test, the applicant called Princess Martha to check on the status of her hire and again informed the employer her prescription medications would cause a drug test to fail. The next day, the applicant’s job offer was revoked without explanation.

In its complaint in EEOC v. Princess Martha, LLC, Case No. 8:22-cv-02182) filed in the U.S. District Court for the Middle District of Florida, the EEOC alleges the conduct violates the ADA) prohibitions against discrimination based on disabilities and requires employers to provide reasonable accommodations of disabilities if it does not cause the company an undue hardship. The EEOC seeks back pay and compensatory and punitive damages for the employee, as well as injunctive relief to prevent any further discriminatory practices.

The lawsuit reminds other employers and their drug testing, recruiting, staffing and other business partners that a positive drug test does not always justify refusing to hire, firing, or taking other adverse employment action against an applicant or employee. Applicants and employees testing positive for drugs legally taken to treat a medical or physical condition that qualifies as a disability may qualify as disabled individuals entitled to accommodation unless the employer can prove with evidence collected before the action that he accommodation creates an undue hardship, a legitimate safety risk, or would violate the law.

Employees, recruiters and other workforce service providers using drug testing in their hiring or other processes should review and administer their drug testing practices to include appropriate procedures to invite applicants and employees to disclose legally prescribed medications, to use consistent processes to verify the alleged medical need for the medication and its prescribed use, and where verified, to conduct documented evaluations of accommodation options including where applicable evaluations if evidence the employer intends to rely upon to justify denial of accommodation as an undue hardship, for evidence supported safety reasons that can’t be managed through reasonable accommodation without undue hardship, to comply with a legal mandate or another relevant defense to accommodation under the ADA. Employers and they’re agents also must use care to comply with the ADA requirements for maintaining records and information confidential and in separate confidential medical files, as well as comply with otherwise applicable special rules for keeping confidential drug testing and treatment records.

Because unprivileged discussions of potential responses to positive drug tests and other employment decision-making between employers, recruiters, drug testing or other internal or external parties could be discovered and used to show pretext, willfulness, retaliation or other evidence helpful to prove discrimination or retaliation claims by the EEOC, disgruntled applicants or employees or both, employers and other parties participating in drug testing or other related hiring, recruiting or employment decision -making are cautioned to include, understand and follow appropriate procedures engaging qualified legal counsel for seeking advice and to conduct and keep discussions and other evidence and communications relating to drug testing, accommodation and other hiring, discipline, termination and employment matters within the scope of attorney-client privilege, work-product privilege or both.

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefits Counsel repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” by LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law and among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely known for 30+ years of advising, representing and defending domestic and international public, closely held and government organizations on workforce, employee benefits, internal controls and governance, and other risk management, compliance and government relations concerns as well as her coaching, scholarship, training and legislative and public affairs advocacy on these and related areas.

Ms. Stamer helps health industry and other organizations and their management manage. Ms. Stamer’s legal and management consulting work throughout her nearly 30+ year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns. She also represents and defends clients in investigations, audits, enforcement actions and other dealings with the the Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and a multitude of federal, state, and locate agencies, state attorneys’ general and other federal and state agencies, public and private credentialing, licensing and accreditation bodies, as well as conducts and counsels clients on private litigation, employment and other services disputes, regulatory and public policy advocacy, training and discipline, enforcement  and other strategic and operational concerns.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, expat and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also is deeply involved in helping to influence workforce, health care, pension, social security, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also shares her leadership through her extensive involvement in many professional, community and civic organizations. Currently, she serves as Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR and a representative for its Annual Agency Meeting with the EEOC, Chair of the ABA Intellectual Property Section Law Practice Management Committee, Vice Chair of the ABA International Section Life Sciences Committee, Chair-Elect of the ABA Tort & Insurance Section (TIPS) Medicine and Law Committee, RPTE Section Employee Benefits Committee Welfare Plan Chair, and in various other projects and capacities. She also previously has served as an ABA Joint Committee on Employee Benefits Council Representative, Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, the Society for Human Resources Management Region IV Board Chair and National Consultant’s Board Member; am Editorial Advisory Board Member and author for HR.com, Insurance ThoughtLeaders, BNA CD-Rolm, and Employee Benefits News; the Alliance for Healthcare Excellence Board President, Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, on the North Texas United Way Long Range Planning Committee Member, as a Board Member and Compliance Chair of the National Kidney Foundation of North Texas and many others.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. These include hundreds of highly regarded articles and workshops on health and other benefits, workforce, health care and insurance concerns.

For more information about these requirements, Ms. Stamer or her experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE:   These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. 

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on ADA May Require Employers To Accommodate Employees Testing Positive For Legally Prescribed Medications | Accommodation, ADA, Corporate Compliance, Disability Discrimination, Discrimination, DOT, Drug & Alcohol, Drug Testign, Drug Testing, EEOC, EEOC, Employers, Employment Discrimination, Prescription Drugs, Risk Management | Permalink
Posted by Cynthia Marcotte Stamer

Annual Review of Proposed Medicare Quality Measures Excellent Opportunity For Insight, Input on What Health Care Quality Means

September 15, 2022

Employer and other health plan sponsors, fiduciaries and plan members hear a lot about about health care quality and its measures. However few understand what the quality data and ratings relied upon by health plans, Medicare or Medicaid, accreditation agencies or others making assertions about health care quality or how that data is measured.

While quality measures and meanings take many forms, one key measure used by Medicare, Medicaid and many other health plans, lawmakers, health quality commentators and others evaluating health care provider “quality” is the Department of Health and Human Services Office of the National Coordinator for Healthcare Information (“ONC”) electronic clinical quality measures (“eCQMs”) that the Centers for Medicare & Medicaid Services (“CMS”) requires many health care providers participating in Medicare or Medicaid to report for purposes of program participation and reimbursement.

eCQMs As Measure of HealthCare Quality

Electronic clinical quality measures or “eCQMs” are tools that ONC develops with stakeholder input to help Medicare and Medicaid measure and track the quality of health care services that eligible hospitals and critical access hospitals (CAHs) provide, as generated by a provider’s electronic health record (EHR). CMS Measuring and reporting eCQMs helps to ensure that our health care system is delivering effective, safe, efficient, patient-centered, equitable, and timely care. CMS’ eCQMs measure many aspects of patient care, including:

  • Patient and Family Engagement
  • Patient Safety
  • Care Coordination
  • Population/Public Health
  • Efficient Use of Healthcare Resources
  • Clinical Process/Effectiveness

To successfully participate in the Medicare and Medicaid Promoting Interoperability Programs, the Centers for Medicare and Medicaid Services (“CMS”) requires eligible providers, eligible hospitals, critical access hospitals and dual-eligible hospitals electronically to report on eCQMs determined by CMS that require the use of data from the provider’s certified electronic health record (“EHR”) technology (CEHRT) or other health information technology systems to measure and report quality measures in a standardized manner. For calendar year (CY) 2022, Medicare Promoting Interoperability Program participants arerequired to report on three self-selected eCQMand the Safe Use of Opioids – Concurrent PrescribingeCQM from the set of nine available for at least three self-selected quarters of CY 2022 data. To report eCQMs successfully, health care providers must use an EHR and adhere to the requirements identified by the CMS quality program. Failing to meet these eCQM reporting requirements can prevent the provider from meeting meaningful use requirements and trigger reductions in reimbursements for care.

Health care quality, credentialing, accreditation, and other provider, health plan and other organizations also use the eCQMs data alone or with other quality measures and tools to set standards and assess and enforce quality goals and performances.

2022 eCQMs Updates

Each year, CMS makes updates to the eCQMs approved for CMS programs to reflect changes in:

  • Evidence-based Medicine
  • Code Sets
  • Measure Logic

Conducted annually as part of OCN’s eCQM Issue Tracker project, the CRP provides eCQM users the opportunity to review and comment on draft changes to the eCQM specifications and supporting resources under consideration by the measure stewards. The goal of the CRP is for eCQM implementers to comment on the potential impact of draft changes to eCQMs so CMS and measure stewards can make improvements to meet CMS’s intent of minimizing provider and vendor burden in the collection, capture, calculation, and reporting of eCQMs. 

Every Fall, health care providers, health plans and insurers and other stakeholders concerned about these eCQMs have the opportunity to review and comment on draft changes to the eCQM specifications and supporting resources  under consideration by ONC as part of ONC’s 2022 Change Review Process (CRP) for the ONC Project Tracking System. Interested stakeholders must monitor the posting of issues and act quickly to share their feedback, however, as stakeholders have only two weeks to comment after a ONC posts a new proposed eCQm change.

Stakeholders with an account on the ONC Project Tracking System can monitor, review and comment on proposed eCQM changes through the eCQM Issue Tracker project during the two week period following the date the issue is posted in the eCQM Issue Tracker. To participate in the CRP, users must have an ONC Project Tracking System account. New users can create an account via the ONC Project Tracking System website.

The following table reflects the eCQM issues open on the eCQM Issue Tracker as of September 14, 2022 and their scheduled comment closing dates

Issues Open for Public Comment As of 9/14/2022

CMS eCQM Identifier and Measure TitleCRP Issue TitleIssue Number and LinkIssue TypeGoal of ReviewPublic Comment Open DatePublic Comment Close Date
Multiple measuresIncorporate ‘Diagnosis’ datatype to capture Hospice CareCQM-5561Logic; Value SetObtain clinical and technical feedback09/07/202209/21/2022
CMS128: Anti-depressant Medication Management; CMS136: Follow-Up Care for Children Prescribed ADHD Medication (ADD); CMS156: Use of High-Risk Medications in Older AdultsUpdate Cumulative Medication Duration function to calculate maximum daily frequencyCQM-5562LogicObtain technical feedback09/07/202209/21/2022
Multiple measuresExpand codes using ‘Diagnosis’ datatype to capture Palliative CareCQM-5563Logic; Value SetObtain clinical and technical feedback09/07/202209/21/2022
Multiple measuresRequire 2 indications of frailty to meet exclusionCQM-5564Header; Logic; Measure Intent ClarificationObtain clinical feedback09/07/202209/21/2022
CMS127: Pneumococcal Vaccination Status for Older AdultsExpand numerator to allow for pneumococcal vaccination since 19 years of ageCQM-5565Header; Logic; Measure Intent ClarificationObtain clinical feedback09/07/202209/21/2022
eCQM Issue Tracker Open Issues As Of September 14, 2022

As proposed eCQM changes are posted for public comment as CRP issues. ONC informs eCQM accountholders of the proposed change or eCQM issue by posting for review in the ONC Project Tracking System. Accountholders only have two weeks after ONC posts a proposed eCQM to comment on the posted issue. Stakeholders interested in commenting on a particular issue must submit their comment in accordance with the directions within this two week period.

Depending on the nature of the proposed change, the proposed changing could impact the meaning, or significance of a eCQM by changing the way it is measured, the level or reporting or other aspects of the data and its magnitude. Consequently, understanding both what a eCQM measures and how that measurement is made and reported is important both to understand what actually is measured and to distinguish between changes in the measure resulting from a change in the actual delivery of the care the measure purports to measure versus changes in the result impacted by changes in measurement or reporting. For this reason, employer and other health plan sponsors, fiduciaries, insurers, administrators and other impacted stakeholders should use care to critically evaluate the eCQM and othe quality claims armed with a clear understanding both of the elements of the measurement and of any changes made to the measures across time that could influence the reported data and its significance in measuring and reporting quality and quality trends.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Annual Review of Proposed Medicare Quality Measures Excellent Opportunity For Insight, Input on What Health Care Quality Means | Association Health Plan, Corporate Compliance, group health plan, health benefit, Health Benefits, health Care, health care transparency, health centers, health insurance, Health IT, health plan, Health Plans, health reform, self insured health plan | Tagged: | Permalink
Posted by Cynthia Marcotte Stamer

Annual Review of Proposed Medicare Quality Measures Excellent Opportunity For Insight, Input on What Health Care Quality Means

September 15, 2022

Act Promptly To Comment On Proposed Changes To ONC’s Electronic Clinical Quality Measures

Employer and other health plan sponsors, fiduciaries and plan members hear a lot about about health care quality and its measures. However few understand what the quality data and ratings relied upon by health plans, Medicare or Medicaid, accreditation agencies or others making assertions about health care quality or how that data is measured.

While quality measures and meanings take many forms, one key measure used by Medicare, Medicaid and many other health plans, lawmakers, health quality commentators and others evaluating health care provider “quality” is the Department of Health and Human Services Office of the National Coordinator for Healthcare Information (“ONC”) electronic clinical quality measures (“eCQMs”) that the Centers for Medicare & Medicaid Services (“CMS”) requires many health care providers participating in Medicare or Medicaid to report for purposes of program participation and reimbursement.

eCQMs As Measure of Health Care Quality

Electronic clinical quality measures or “eCQMs” are tools that ONC develops with stakeholder input to help Medicare and Medicaid measure and track the quality of health care services that eligible hospitals and critical access hospitals (CAHs) provide, as generated by a provider’s electronic health record (EHR). CMS Measuring and reporting eCQMs helps to ensure that our health care system is delivering effective, safe, efficient, patient-centered, equitable, and timely care. CMS’ eCQMs measure many aspects of patient care, including:

  • Patient and Family Engagement
  • Patient Safety
  • Care Coordination
  • Population/Public Health
  • Efficient Use of Healthcare Resources
  • Clinical Process/Effectiveness

To successfully participate in the Medicare and Medicaid Promoting Interoperability Programs, the Centers for Medicare and Medicaid Services (“CMS”) requires eligible providers, eligible hospitals, critical access hospitals and dual-eligible hospitals electronically to report on eCQMs determined by CMS that require the use of data from the provider’s certified electronic health record (“EHR”) technology (CEHRT) or other health information technology systems to measure and report quality measures in a standardized manner. For calendar year (CY) 2022, Medicare Promoting Interoperability Program participants arerequired to report on three self-selected eCQMand the Safe Use of Opioids – Concurrent PrescribingeCQM from the set of nine available for at least three self-selected quarters of CY 2022 data. To report eCQMs successfully, health care providers must use an EHR and adhere to the requirements identified by the CMS quality program. Failing to meet these eCQM reporting requirements can prevent the provider from meeting meaningful use requirements and trigger reductions in reimbursements for care.

Health care quality, credentialing, accreditation, and other provider, health plan and other organizations also use the eCQMs data alone or with other quality measures and tools to set standards and assess and enforce quality goals and performances.

2022 eCQMs Updates

Each year, CMS makes updates to the eCQMs approved for CMS programs to reflect changes in:

  • Evidence-based Medicine
  • Code Sets
  • Measure Logic

Conducted annually as part of OCN’s eCQM Issue Tracker project, the CRP provides eCQM users the opportunity to review and comment on draft changes to the eCQM specifications and supporting resources under consideration by the measure stewards. The goal of the CRP is for eCQM implementers to comment on the potential impact of draft changes to eCQMs so CMS and measure stewards can make improvements to meet CMS’s intent of minimizing provider and vendor burden in the collection, capture, calculation, and reporting of eCQMs. 

Every Fall, health care providers, health plans and insurers and other stakeholders concerned about these eCQMs have the opportunity to review and comment on draft changes to the eCQM specifications and supporting resources  under consideration by ONC as part of ONC’s 2022 Change Review Process (CRP) for the ONC Project Tracking System. Interested stakeholders must monitor the posting of issues and act quickly to share their feedback, however, as stakeholders have only two weeks to comment after a ONC posts a new proposed eCQm change.

Stakeholders with an account on the ONC Project Tracking System can monitor, review and comment on proposed eCQM changes through the eCQM Issue Tracker project during the two week period following the date the issue is posted in the eCQM Issue Tracker. To participate in the CRP, users must have an ONC Project Tracking System account. New users can create an account via the ONC Project Tracking System website.

Issues Open for Public Comment As of 9/14/2022

The following table reflects the eCQM issues open on the eCQM Issue Tracker as of September 14, 2022 and their scheduled comment closing dates:

CMS eCQM Identifier and Measure TitleCRP Issue TitleIssue Number and LinkIssue TypeGoal of ReviewPublic Comment Open DatePublic Comment Close Date
Multiple measuresIncorporate ‘Diagnosis’ datatype to capture Hospice CareCQM-5561Logic; Value SetObtain clinical and technical feedback09/07/202209/21/2022
CMS128: Anti-depressant Medication Management; CMS136: Follow-Up Care for Children Prescribed ADHD Medication (ADD); CMS156: Use of High-Risk Medications in Older AdultsUpdate Cumulative Medication Duration function to calculate maximum daily frequencyCQM-5562LogicObtain technical feedback09/07/202209/21/2022
Multiple measuresExpand codes using ‘Diagnosis’ datatype to capture Palliative CareCQM-5563Logic; Value SetObtain clinical and technical feedback09/07/202209/21/2022
Multiple measuresRequire 2 indications of frailty to meet exclusionCQM-5564Header; Logic; Measure Intent ClarificationObtain clinical feedback09/07/202209/21/2022
CMS127: Pneumococcal Vaccination Status for Older AdultsExpand numerator to allow for pneumococcal vaccination since 19 years of ageCQM-5565Header; Logic; Measure Intent ClarificationObtain clinical feedback09/07/202209/21/2022
eCQM Issue Tracker Open Issues As Of September 14, 2022

As proposed eCQM changes are posted for public comment as CRP issues. ONC informs eCQM accountholders of the proposed change or eCQM issue by posting for review in the ONC Project Tracking System. Accountholders only have two weeks after ONC posts a proposed eCQM to comment on the posted issue. Stakeholders interested in commenting on a particular issue must submit their comment in accordance with the directions within this two week period.

Depending on the nature of the proposed change, the proposed changing could impact the meaning, or significance of a eCQM by changing the way it is measured, the level or reporting or other aspects of the data and its magnitude. Consequently, understanding both what a eCQM measures and how that measurement is made and reported is important both to understand what actually is measured and to distinguish between changes in the measure resulting from a change in the actual delivery of the care the measure purports to measure versus changes in the result impacted by changes in measurement or reporting. For this reason, employer and other health plan sponsors, fiduciaries, insurers, administrators and other impacted stakeholders should use care to critically evaluate the eCQM and othe quality claims armed with a clear understanding both of the elements of the measurement and of any changes made to the measures across time that could influence the reported data and its significance in measuring and reporting quality and quality trends.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Annual Review of Proposed Medicare Quality Measures Excellent Opportunity For Insight, Input on What Health Care Quality Means | Association Health Plan, Corporate Compliance, group health plan, health benefit, Health Benefits, health Care, health care transparency, health centers, health insurance, Health IT, health plan, Health Plans, health reform, self insured health plan | Tagged: | Permalink
Posted by Cynthia Marcotte Stamer

Join 9/8 JCEB Webex To Learn About DOJ Federal Antitrust Health Industry Market Competition Enforcement & Latest On $2.67 Billion BCBS Class Action Antitrust Settlement

September 2, 2022

As companies that purchased health insurance and their employees or other individuals who received health insurance from certain Blue Cross Blue Shield entities wait to hear how to claim their share of the $2.67 billion In re: Blue Cross Blue Shield Antitrust Litigation private federal class action civil antitrust lawsuit settlement (“Settlement”) finally approved August 9, 2022 against the Blue Cross Blue Shield Association (“BCBSA”) and other settling individual Blue Cross Plans, employers and other plan sponsors, health care systems and providers, health insurers, pharmacy benefit managers, brokerages, and other health and health insurance market participants need to keep in mind that the private antitrust judgements are not their only exposure under federal antitrust laws. Health insurance and health industry market participants that engage in anticompetitive conduct or business transactions also risk investigation and prosecution under federal antitrust laws by the U.S. Department of Justice, the Federal Trade Commission and state regulators or attorneys general.

Market participants and others with health or health insurance industry market competitiveness concerns or interests should register and attend the September 8, 2022 Justice Department Health Industry Antitrust Enforcement Update to learn about key federal antitrust statutes regulating or prohibiting anticompetitive conduct and business transactions and hear how the Department of Justice uses these laws to promote market competition in the health care and health insurance marketplaces.

Hosted by the American Bar Association Joint Committee on Employee Benefits, the webinar will feature a discussion by U.S. Department of Justice Civil Division Healthcare and Consumer Products Section Antitrust Attorney Natalie Melada of basic federal antitrust rules and principles the Justice Department relies upon to safeguard market competitiveness and discusses selected Justice Department antitrust litigation and other compliance and enforcement initiatives the Department of Justice has undertaken to protect competition in the healthcare industry. Attorney and Solutions Law Press, Inc. editor and author Cynthia Marcotte Stamer also will provide an update on the In re: Blue Cross Blue Shield Antitrust Litigation and resulting $2.67 billion settlement approved August 9.

For more details and to register for the program, see here.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and following and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes substantial work, publications and presentations on health care, health and managed care, employee plan and purchasing groups, noncompetition and other antitrust compliance concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Join 9/8 JCEB Webex To Learn About DOJ Federal Antitrust Health Industry Market Competition Enforcement & Latest On $2.67 Billion BCBS Class Action Antitrust Settlement | Antitrust, Brokers, Corporate Compliance, Employers, ERISA, Federal Sentencing Guidelines, health Care, health insurance, health insurance marketplace, Health Plans, Insurance, Non-Competition Agreement, Public Policy | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

AHRQ Mental Health Mobile Apps Selection Tips

July 6, 2022

The Agency for Healthcare Research and Quality (AHRQ) issued a brief called “Evaluation of Mental Health Mobile Applications” to help healthcare experts pick out mental health mobile health applications. Along with choosing mental Health applications and other health plan mental health benefit design, plan sponsors, fiduciaries, administrators and insurers also must ensure their overall plan design and all features comply with federal mental health parity mandates.

The report covers three areas: risk and mitigation strategies, functions, and mental health app features.

AHRQ hopes the tips will help providers, patients, and payers in selecting mental health mobile applications and seeking the best fit based on various features.

The report is part of a growing list of resources and enforcement efforts federal and state agencies have initiated over the past year as part of growing concerns about mental health.

Along with educational outreach and tools, the Employee Benefit Security Administration and Department of Health and Human Services also are ratcheting up audits and enforcement of federal mental health parity mandates. Given this heightened scrutiny, employer and other health plan sponsors, fiduciaries, administrators and insurers using mobile applications or other virtual mental health solutions in their health plans should arrange for a compliance review of their health plan compliance with these mandates within the scope of attorney client privilege to mitigate liability risks.

In a recent American Bar Association Joint Committee on Employee Benefits webinar moderated by Cynthia Marcotte Stamer, the EBSA’s Director of Health Plan Compliance and Enforcement Amber Rivers emphasized her agency is prioritizing mental health parity compliance a free recent audits showed widespread noncompliance with the requirement for parity in nonqualitative mental health conditions.

More Information.

For additional information about the requirements or concerns discussed in this article, republication or other related matters, please contact the author, employment lawyer Cynthia Marcotte Stamer via e-mail, via telephone at (214) 452 -8297 or on LinkedIn.

Solutions Law Press, Inc. invites you to receive future updates by registering here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for management work, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, well-known for her extensive work with health and other employee benefits, health care and life sciences, insurance, financial services, technology, and other highly regulated and performance reliant organizations and their leadership, Ms. Stamer works with these and other businesses and their management, employee benefit plans, insurers, health care and life sciences, governments and other organizations deal with all aspects of health care, human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, Form I-9 and other compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, internal controls, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. her more than 30 years’ of experience encompasses domestic and international businesses of all types and sizes.

Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a practicing attorney, as well as as an industry, policy management consultant, and policy strategist as well through her leadership participation in professional and civic organizations. Examples of her many leadership involvements include service as the Vice President and Executive Director of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; Vice Chair of the ABA International Law Section Life Sciences and Health Committee; Vice Chair of the ABA Tort & Insurance Practice Section Medicine and Law Committee and former Vice Chair of its Employee Benefits Committee and its Worker’s Compensation Commitee; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, current Welfare Committee Co-Chair and past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy and others.

Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com including the following:

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions  Law Press, Inc.™   For information about republication, please contact the author directly.  All other rights reserved.

Comments Off on AHRQ Mental Health Mobile Apps Selection Tips | ACA, Association Health Plan, Data Breach, Data Security, Employee Benefits, Employer, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, Government Accountability, government employer, government plan, group health plan, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, health reform, HIPAA, Joint Employer, Protected Health Information, self insured health plan, tpa | Permalink
Posted by Cynthia Marcotte Stamer

« Previous Entries