Health Plans |

Medical Clinic Co-Founder Sentencing & New Charges Filed Against Substance Abuse Clinic Operator Highlight Threat Health Plans Face From Health Plan Fraud Scammers

March 3, 2023

The U.S. District Court for the Western District of Kentucky ordered the co-founder of a that Yesdel Acosta Perez to time served of 14 months in prison and to pay $258,507 in restitution for his role in causing health care clinics he cofounded to bill 15 self-funded health plans for $4.7 million in medical services never provided. The conviction reminds health plans, health care providers and others that fraudulently billing self-insured or other private health plans can result in criminal conviction punishable as felony under multiple provisions of the United States Criminal Code. Acosta Perez’ sentencing coincides with the Justice Department’s announcement of its March 2, 2023 filing of similar criminal charges against the operator of a chain of substance abuse clinics and others for their alleged involvement in millions of dollars of false charges billed to private health plans, Medicare and Medicaid for substance abuse addition treatment not provided.

The conviction and sentencing of Acosta Perez and the newly announced charges against operators of a chain of addiction treatment clinics in Massachusetts and Rhode Island and others for alleged ahealth care fraud aggravated identity theft, money laundering and obstruction in relation to alleged billing of millions of dollars of false charges to private health plans, Medicare and Medicaid for substance abuse treatment by clinics highlight the continuing threat fraudulent actors present for self-insured and other private health plans, Medicare and Medicaid, as well as the potential criminal prosecution and consequences those individuals convicted of these crimes risk from their criminal activity.

Acosta Perez Conviction & Sentencing

The co-founder of Romero Rehabilitation Physical Therapy Inc. and Empire USA Inc. in Louisville and Imaging Group Center Inc. in Atlanta plead guilty to one count of conspiracy to commit healthcare fraud in February, 2023, after the U.S. Department of Labor found the operators collected $258,000 from 15 self-funded healthcare benefit programs for services they never provided based on fraudulent claims made between 2016 and 2018.

In June, 2018, a federal grand jury indicted Acosta Perez and fellow co-founder Eduardo Chinea-Martinez and others on multiple counts of Health Care Fraud in violation of 18 U.S.C. §1347, Theft from a Health Care Benefit Program in violation of 18 U.S.C. §669, Aggravated Identity Theft in violation of 18 U.S 8 U.S.C. §1028A, Money Laundering in violation of 18 U,S,C. §1956, Mail Fraud in violation of 18 U.S.C Chapter 63 and aiding and abetting in the commission of these violations under 18 U.S.C. §1349. billing various healthcare benefit programs through claims administrators Humana, CIGNA and United Healthcare for $4.7 million for services never provided. The U.S. Criminal Code authorized potential sentences of between 10 to 20 years of imprisonment as well as subjected charged defendants to asset forfeiture upon conviction.

The grand jury inditement and subsequent prosecution of Acosta Perz and a fellow co-founder resulted from an Employee Benefit Security Benefit Administration investigation that found that, between May 2015 and January 2016, Acosta Perez and Eduardo Chinea-Martinez co-founded three companies to intentionally defraud various healthcare benefit programs. Investigators also determined Acosta Perez opened bank accounts for the fictitious businesses at JPMorgan Chase Bank, Wells Fargo Bank and Bank of America. Acosta Perez and Chinea-Martinez. The indictment charges that Acosta Perez and Chinea-Martinez misappropriated and used patients’ names, dates of birth, insurance/policy numbers, addresses, and patient IDs/Social Security Numbers, without the patients’ knowledge and names and National Provider Numbers (“NPIs”) from uninvolved doctors without the doctors’ knowledge to create claims for payment by representing these uninvolved doctors and clinics allegedly ordered or performed the services in the false and fraudulent billings submitted by defendants for payment to submit fraudulent claims. The fraudulent claims directed the plans to send payment for the billed services to a Regus virtual office location in Louisville, Kentucky. Acosta Perez then directed Regus via email to forward all mail to Romero Rehabilitation Physical Therapy. According to the indictment, using this process to submit claims for payment for the fraudulent services, Chinea-Martinez and Acosta Perez billed approximately $4,700,000 in fraudulent medical services to the self-insured plans and received payment for $258,000.

In March 2020, the court sentenced Chinea-Martinez to 42 months in prison and three years of supervised release for his part in the scheme. However, before his in June 2018, Acosta Perez fled the U.S. On July 22, 2022, however, the Italian government granted the request of the U.S. for the extradition of Acosta Perez and surrendered him to U.S. authorities. Acosta-Perez was arrested in June 2022.

New Health Care Fraud Charges Against Rhode Island and Massachusetts Addiction Treatment Chain Operators

Acosta-Perez’s sentencing coincides with the Justice Department’s March 2, 2023 announcement of its filing of a host of similar charges in Rhode Island against the operator of a chain of addiction treatment clinics and others for alleged aggravated identity theft, money laundering and obstruction in relation to theft of the identities and other patient and provider information and using their information to file false charges billed to private health plans, Medicare and Medicaid for substance abuse treatment by clinics.

Michael Brier, Mi Ok Bruining and Recovery Connections Centers of America, Inc. (RCCA) are charged in a federal criminal complaint with health care fraud and Michael Brier also is charged with aggravated identity theft, money laundering and obstruction. In addition, the treatment center and its former supervisory counselor were also charged with health care fraud. The Justice Department announcement of these charges reminds readers that its federal criminal complaint is merely an accusation and that the defendants are presumed innocent unless and until proven guilty.

The Justice Department alleges in court documents that, Brier, Bruining, and RCCA shortchanged Rhode Island and Massachusetts substance abuse disorder patients out of much needed counseling and treatment services, while defrauding Medicare, Medicaid, and other health insurers out of millions of dollars.

According to the charging documents, Brier, Bruining and RCCA operated a chain of addiction treatment centers but failed to provide the patients with the required counseling sessions and treatment, while simultaneous billing Medicare, Medicaid and other health care payors for 45-minute counseling sessions on a routine basis even though the sessions were not more than 15 minutes, and often only 5-10 minutes or less. At times, so many counseling sessions were billed at this level that the total amount of time would be impossible for the available therapist to have provided in any 24 hours period.

Brier and RCCA are also alleged to have caused a fraudulent application to be submitted to Medicare which, among other things, misrepresented and concealed the role that Brier was playing in the business and failed to disclose Brier’s 2013 criminal conviction for federal tax crimes, which was relevant to Medicare’s consideration of the application.

The Complaint also alleges that Brier purported to practice medicine and wrote and caused to be filled fraudulent prescriptions using the names and prescriber information, including Drug Enforcement Administration numbers, of doctors without their permission.

Brier is also alleged to have falsified a document in a matter within the jurisdiction of an agency of the United States by causing the Medical Director to sign a false and back-dated document.

The complaint alleges that defendants caused millions of dollars in fraudulent billings to be submitted to Medicare and millions more in fraudulent billings to other health care payors. The government is also seeking to forfeit thirteen bank accounts, two buildings, and two vehicles allegedly realized by the defendants as a result of the alleged criminal conduct.

The two prosecutions highlight the continuing challenge health plans and other health care payers face from fraudulent claims submitted by criminal actors intent on deliberately defrauding health plans through schemes to knowingly defraud plans by creating and filing false claims. Health plans and their fiduciaries and administrators should be vigilant in their efforts to identify and protect their health benefit programs against these schemes and if victimized or presented with evidence of these schemes, should work with experienced legal counsel to prudently investigate these concerns and report relevant findings to the EBSA, the Department of Justice Health Care Fraud Task Force or both.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer’s work throughout her 35 year career has focused heavily on working with employer and other staffing and workforce organizations, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends businesses on FLSA, CAS, SCA, Davis-Bacon, Equal Pay Act and other wage and hour, compensation and benefit and other Human Resources, Guideline Program and other compliance, risk management and other internal and external controls in a wide range of areas and has published and spoken extensively on these concerns.

Ms. Stamer also is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on workforce, compensation, and other operations, risk management, compliance and regulatory and public affairs concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving, and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Comments Off on Medical Clinic Co-Founder Sentencing & New Charges Filed Against Substance Abuse Clinic Operator Highlight Threat Health Plans Face From Health Plan Fraud Scammers | Claims, Claims Administration, Corporate Compliance, ERISA, Health Care Fraud, Health Plans | Permalink
Posted by Cynthia Marcotte Stamer

Updated Form 5500s and Instructions Released

February 24, 2023

The U.S. Department of Labor Employee Benefits Security Administration, the Internal Revenue Service (“IRS”) and the Pension Benefit Guaranty Corporation (“PBGC”) announcing changes to the 2023 Form 5500 Annual Return/Report of Employee Benefit Plan and Form 5500-SF Short Form in February 23.

The “Phase III” announcement released this week are set forth in the following:

Notice of Final Form Revisions, available at https://www.federalregister.gov/documents/2023/02/24/2023-02653/annual-information-returnreports
Notice of Final Rulemaking, available at https://www.federalregister.gov/documents/2023/02/24/2023-02652/annual-reporting-and-disclosure
Fact Sheet, available at https://www.dol.gov/agencies/EBSA/about-ebsa/our-activities/resource-center/fact-sheets/changes-for-the-2023-form-5500-and-form-5500-sf-annual-return-reports

The Phase III announcement implements the third and final phase of implementation of a September, 2021 regulatory proposal, which included changes related to provisions in the Setting Every Community Up for Retirement Enforcement Act, commonly known as the SECURE Act, which affected annual reporting requirements under the Employee Retirement Income Security Act and the Internal Revenue Code.

The first two phases of implementation included publication of Federal Register notices in December 2021 for Phase I and May 2022 for Phase II, respectively, to adopt changes for the 2021 and 2022 Form 5500 Returns/Reports.

The Phase III announcement features a Notice of Final Forms Revisions from the EBSA, IRS and PBGC for the 2023 plan year forms and instructions and a Notice of Final Rulemaking by the department that makes corresponding changes to annual reporting regulations under Title I of ERISA.

The 2023 plan year reports – which generally will be filed beginning in July 2024 for calendar year plans – include the following changes:

A consolidated Form 5500 reporting option for certain groups of defined contribution retirement plans, improved reporting by pooled employer plans and other multiple employer plans.
A change in the participant-counting methodology for determining eligibility for simplified reporting alternatives available to “small plans,” which are generally plans with fewer than 100 participants.
A breakout of reporting on administrative expenses paid by the plan on the plan’s financial statements.
Further improvements in financial and funding reporting by PBGC-covered defined benefit plans.
The addition of selected Internal Revenue Code compliance questions to improve tax oversight and compliance of tax-qualified retirement plans.
Technical and conforming changes as part of the annual rollover of forms and instructions.

Additionally, technical adjustments were made to the Federal Register notices to address certain provisions in SECURE Act 2.0 of 2022 on Code section 403(b) multiple employer plans, including pooled employer plans, minimum required distributions and audit requirements for plans in defined contribution group reporting arrangements.

The Federal Register notices, Document #2023-02653 for the Notice of Final Forms Revision and Document #2023-02652 for Notice of Final Rulemaking, also include appendices that describe the changes to the forms and instructions as well as a regulatory impact and paperwork burden analyses. A more detailed summary of the annual reporting changes is included in a fact sheet posted on the department’s website today. Mock-ups of the forms and instructions will be available at reginfo.gov as part of the Paperwork Reduction Act clearance process. The release of “for information-only” copies of the forms and instructions will happen later in 2023.

More Information

When investigating and responding to a violation, it is critically important to document the timing and details of the discovery of a potentially concern

About the Author

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer’s work throughout her 35 year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends businesses on Guideline Program and other compliance, risk management and other internal and external controls in a wide range of areas and has published and spoken extensively on these concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Comments Off on Updated Form 5500s and Instructions Released | compliance, Corporate Compliance, Defined Benefit Plans, Defined Contribution Plans, EBSA, Emploeyrs, employee, Employee Benefits, Employer, Employers, ERISA, ESOP, Form 5500, health plan, Health Plans, multiple employer plan (Meps), Retirement Plans, Retirements, third party administrators | Permalink
Posted by Cynthia Marcotte Stamer

$1.25 Million Cybersecurity Breach Settlement & Other Heightening Enforcement Warn Health Plans & Others To Fix Cybersecurity

February 4, 2023

Phoenix-based nonprofit health system Banner Health and its affiliates (“Banner Health”) paid $1.25 million and agreed to take corrective actions to resolve its exposure to potentially much greater Health Insurance Portability and Accountability Act (HIPAA) Security Rule civil monetary penalty exposure for a 2016 cyber hacking breach that compromised the person health information of 2.81 million consumers. OCR used its February 2 announcement of the Banner Health settlement to warn health plans, health care providers, health care clearing houses (“covered entities”) and business associates covered by HIPAA to guard their own system containing protected health information against breach by cyber hacking even as the Department of Labor and other agencies are stepping up their cybersecurity rules, oversight and enforcement.

Banner Health Settlement

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona, and one of the largest in northern Colorado.

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions. The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.

Under the Resolution Agreement and Corrective Action Plan negotiated to resolve these potential violations, Banner Health paid $1,250,000 to OCR. Banner Health also agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Under the corrective action plan, Banner has agreed to take the following steps:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

OCR Warns Other HIPAA-Covered Entities

In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. OCR’sannouncement of the serrlement reports 74 percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents.

The announcement also notes OCR offers an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules,

The settlement and OCR’s announcement warn other covered entities and business associates to use these and other necessary resources to protect their systems with protected health information from cyber hacking and other breaches.

In conjunction with reminding other covered entities of these resources, the settlement announcement quotes OCR Director Melanie Fontes Rainer as warning, ‘Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals, … It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. … Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

OCR’s enforcement record confirms these are not idyl threats. Breaches of the Security or Breach Notification Rules often result in significant civil monetary penalty assessments or negotiated settlements to mitigate civil liability exposures arising out of such breaches. See e.g., Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches(October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020).

Alerts issued by OCR regarding heightened security risks in recent months and a growing tide of highly publicized breaches send a strong warning to other covered entities and their business associates to reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections by among other things:

Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Beyond these HIPAA exposures, breaches and other HIPAA noncompliance carries other liability risks. Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders. For instance, the Department of Health & Human Services has warned health care providers participating in Medicare or other federal programs and Medicare Advantage health plans that HIPAA compliance is a program term of participation.

Health care providers and health insurers can face liability under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.

Health plans also face a myriad of other exposures from failing to use appropriate cyber safeguards. Plan fiduciaries of employment based health plans covered by the Employee Retirement Income Security Act (“ERISA”} risk liability under ERISA’s fiduciary responsibility rules. The Department of Labor Employee Benefit Security Administration (“EBSA”) now audits the adequacy of the cybersecurity and other HIPAA compliance of health plans and their third party administrators and other business associates as part of EBSA’s oversight and enforcement of ERISA. Department of Labor Assistant Secretary for EBSA Lisa Gomez confirmed audit and enforcement of cybersecurity obligations is a key priority in EBSA’s current work plan in her February 4, 2023 comments to the American bar Association.

Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other public companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations.

Furthermore, appropriate cyber security practices also may be advisable elements for organizations to include in their Federal Sentencing Guideline Compliance Programs to mitigate potential organization liability risks under federal electronic crime and related laws.

In the face of these risks and warnings, all covered entities and their business associates should reassess and confirm the adequacy of their and their business associates’ cyber security defenses and breach response preparations.