Mental Health |

$1.25 Million Cybersecurity Breach Settlement & Other Heightening Enforcement Warn Health Plans & Others To Fix Cybersecurity

February 4, 2023

Phoenix-based nonprofit health system Banner Health and its affiliates (“Banner Health”) paid $1.25 million and agreed to take corrective actions to resolve its exposure to potentially much greater Health Insurance Portability and Accountability Act (HIPAA) Security Rule civil monetary penalty exposure for a 2016 cyber hacking breach that compromised the person health information of 2.81 million consumers. OCR used its February 2 announcement of the Banner Health settlement to warn health plans, health care providers, health care clearing houses (“covered entities”) and business associates covered by HIPAA to guard their own system containing protected health information against breach by cyber hacking even as the Department of Labor and other agencies are stepping up their cybersecurity rules, oversight and enforcement.

Banner Health Settlement

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona, and one of the largest in northern Colorado.

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions. The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.

Under the Resolution Agreement and Corrective Action Plan negotiated to resolve these potential violations, Banner Health paid $1,250,000 to OCR. Banner Health also agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Under the corrective action plan, Banner has agreed to take the following steps:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

OCR Warns Other HIPAA-Covered Entities

In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. OCR’sannouncement of the serrlement reports 74 percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents.

The announcement also notes OCR offers an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules,

The settlement and OCR’s announcement warn other covered entities and business associates to use these and other necessary resources to protect their systems with protected health information from cyber hacking and other breaches.

In conjunction with reminding other covered entities of these resources, the settlement announcement quotes OCR Director Melanie Fontes Rainer as warning, ‘Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals, … It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. … Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

OCR’s enforcement record confirms these are not idyl threats. Breaches of the Security or Breach Notification Rules often result in significant civil monetary penalty assessments or negotiated settlements to mitigate civil liability exposures arising out of such breaches. See e.g., Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches(October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020).

Alerts issued by OCR regarding heightened security risks in recent months and a growing tide of highly publicized breaches send a strong warning to other covered entities and their business associates to reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections by among other things:

Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Beyond these HIPAA exposures, breaches and other HIPAA noncompliance carries other liability risks. Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders. For instance, the Department of Health & Human Services has warned health care providers participating in Medicare or other federal programs and Medicare Advantage health plans that HIPAA compliance is a program term of participation.

Health care providers and health insurers can face liability under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.

Health plans also face a myriad of other exposures from failing to use appropriate cyber safeguards. Plan fiduciaries of employment based health plans covered by the Employee Retirement Income Security Act (“ERISA”} risk liability under ERISA’s fiduciary responsibility rules. The Department of Labor Employee Benefit Security Administration (“EBSA”) now audits the adequacy of the cybersecurity and other HIPAA compliance of health plans and their third party administrators and other business associates as part of EBSA’s oversight and enforcement of ERISA. Department of Labor Assistant Secretary for EBSA Lisa Gomez confirmed audit and enforcement of cybersecurity obligations is a key priority in EBSA’s current work plan in her February 4, 2023 comments to the American bar Association.

Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other public companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations.

Furthermore, appropriate cyber security practices also may be advisable elements for organizations to include in their Federal Sentencing Guideline Compliance Programs to mitigate potential organization liability risks under federal electronic crime and related laws.

In the face of these risks and warnings, all covered entities and their business associates should reassess and confirm the adequacy of their and their business associates’ cyber security defenses and breach response preparations.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health, health plan and managed care industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her 35 year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends HIPAA covered entities, business associates and other organizations on HIPAA and other cyber, privacy and data security concerns and has published and spoken extensively on these concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Comments Off on $1.25 Million Cybersecurity Breach Settlement & Other Heightening Enforcement Warn Health Plans & Others To Fix Cybersecurity | Association Health Plan, Civil Monetary Penalties, Corporate Compliance, Cybercrime, Cybersecurity, Data Breach, Data Security, Electronic Medical Record, Emploeyrs, employee, Employee Benefits, Employer, Employers, Federal Sentencing Guidelines, FTC, Government Contractors, government employer, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, Health IT, health plan, Health Plans, HIPAA, HR, Human Resources, insurers, Internal Controls, Internal Investigations, Managed Care, Mental Health, pbm, Personal Health Records, Personal Health Recordss, pharmacy, Physician, Plan Admistrator, PPO, Professional Liability, Protected Health Information, Provider, provider contracting, Retaliation | Permalink
Posted by Cynthia Marcotte Stamer

Attorney Filer of ADA Lawsuits Pleads Guilty to Filing False Tax Returns For Not Reporting Disability Lawsuit Settlement Income

November 29, 2022

A California attorney known for his filing of thousands of disability discrimination lawsuits under the Americans with Disabilities Act of 1990 (“ADA”) with himself as the plaintiff plead guilty November 29 to filing a false tax return on which he underreported the income he earned from many of those lawsuits. Aside from the enjoyment many businesses victimized by the defendant’s or other similar disability lawsuits may experience over seeing the defendant get his own comeuppance, the prosecution and the plea also provide important reminders for businesses paying ADA or other settlements to applicants or former employees.

According to court documents and statements made in court, Scott Norris Johnson owned and operated Disabled Access Prevents Injury Inc (DAPI), a legal services corporation. A quadriplegic and an attorney, Johnson filed more than 4,000 lawsuits in the Eastern District of California and elsewhere under the ADA and related California statutes, naming himself as the plaintiff against businesses he claimed were not in compliance with state and federal disability access laws first using DAPI, and later a law firm,

Under the Small Business Job Protection Act of 1996, payments related to lawsuit settlements or awards are taxable unless paid on account of personal physical injury or physical sickness. Johnson, who worked as an attorney at the Internal Revenue Service (“IRS”) earlier in his career, was required to report the taxable portion of the lawsuit settlements and awards he received. He nonetheless intentionally underreported this income on his 2012, 2013, and 2014 tax returns. By understating the lawsuit settlements and awards, Johnson and DAPI paid little to no income tax for tax years 2012, 2013 and 2014. Johnson caused a loss to the IRS of more than $250,000.

Johnson is scheduled to be sentenced on March 7, 2023, and faces a maximum penalty of three years in prison for filing a false tax return. He also faces also faces a period of supervised release, restitution, and monetary penalties. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

The prosecution and subsequent plea highlight the taxability of disability and certain other settlements and the willingness of the Justice Department and IRS to prosecute individuals and businesses failing to fulfill obligations to recognize and report those payments as income for federal tax purposes.

Businesses and their legal counsel entering into settlements or otherwise making payments to employees or applicants under the ADA or other taxable settlements generally should use care to properly report taxable amounts as income to the recipient. For payments made pursuant to a settlement agreement, the settlement agreement generally should provide both that the employer is authorized to deduct and withhold amounts the employer believes may be due from the employee for taxes as well as obligate the employee to report and pay any additional taxes due on the payment.

Obviously, the business also needs to ensure it properly reports and pays its required share of any employment taxes on the payments. Employees should confirm the current tax rules prior to making any agreement or payment to avoid mistakes.

Businesses also should keep in mind many other developments could impact the interpretation and enforcement of settlements and their resulting responsibilities. Changes to trade secret, noncompete, arbitration, voluntariness and other requirements for release of claims, arbitration, scope of release and other developments could materially affect the effectiveness of previously used settlement language. Wise business leaders will seek qualified legal advice and assistance with their settlements.

For Help With Comments, Investigations Or Other Needs

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance related concerns, please contact management attorney and consultant Cynthia Marcotte Stamer.

An attorney Board Certified in Labor & Employment Law by Texas Board of Legal Specialization, Ms. Stamer is recognized for work helping organizations management people, operations and risk as a Fellow in the American College of Employee Benefit Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law.”

For 35 years, Ms. Stamer’s work has focused on advising and assisting businesses and business leaders with these and other employment and other staffing, employee benefit, compensation, risk, performance and compliance management and other operational solutions and concerns. Her experience includes helping management both manage performance and manage legal risk and compliance. While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, leave, and other labor and employment laws, advises and defends businesses against labor and employment, employee benefit, compensation, fraud and other regulatory compliance and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor, Department of Justice, SEC, Federal Trade Commission, HUD, HHS, DOD, Departments of Insurance, and other federal and state regulators. Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see hereor contact Ms. Stamer directly.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources available including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here. If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

NOTICE: These materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice, a substitute for legal advice, an offer or commitment to provide legal advice or an admission. The information and statements in these materials may not address all relevant issues or apply to any situation or circumstances. The author reserves the right to qualify or retract any of these statements at any time. and does not necessarily address all relevant issues. Because the law evolves and in ways that subsequent developments could impact the currency and completeness of this discussion. The author disclaims and has no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2022 Cynthia Marcotte Stamer. Nonexclusive right to republish granted to Solutions Law Press, Inc. All rights reserved.

Comments Off on Attorney Filer of ADA Lawsuits Pleads Guilty to Filing False Tax Returns For Not Reporting Disability Lawsuit Settlement Income | ADA, Corporate Compliance, Employer, Employers, government employer, health Care, Health Plans, Mental Health, Mental Health Parity, Public Policy | Tagged: ADA, Employment Tax, settlement agreements, Tax Fraud | Permalink
Posted by Cynthia Marcotte Stamer

Proposed Changes To Substance Abuse Confidentiality Rules Could Create New Burdens For Employers & Health Plans

November 28, 2022

January 30 Deadline To Comment On HHS’ Proposed Changes To Substance Use Confidentiality Rules

Employers, their health plans and issuers, substance abuse, mental health and other healthcare providers, health care professional associations, consumer advocates, community organizations, state and local government entities, patients and caregivers and others concerned with mental health and substance abuse treatment and management should review and comment by January 30, 2023 on proposed changes to rules on unauthorized disclosures the Confidentiality of Substance Use Disorder (SUD) Patient Records under 42 CFR part 2 (“Part 2”) proposed by the U.S. Health and Human Services Department Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) in a Notice of Proposed Rulemaking (NPRM) made public November 28, 2022 here and scheduled for publication in the December 2, 2022 Federal Register. In addition to obvious implications for health care providers and health plans, the proposed changes are likely to impact both the confidentiality requirements for employer-sponsored and other health benefit programs, as well as the ability and responsibilities of businesses seeking to access or use information about prior substance use and abuse in their workplaces or for other legitimate purposes.

Proposed Changes To Substance Abuse Confidentiality Rules

On November 28, 2022, OCR and SAMHSA issued the NPRM to revise the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR part 2 (“Part 2”), which seek to address concerns that concerns about discrimination or prosecution might deter people from entering treatment for SUD by protecting “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”(“SUD Records”).

Currently, the Part 2 protections of patient privacy and records concerning treatment related to substance use challenges from unauthorized disclosures differ from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules (“HIPAA”) rules. These distinctions reportedly create barriers to information sharing by patients and among health care providers and create dual obligations and compliance challenges for regulated entities. To address this concern, Congress mandated in Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) that HHS to bring Part 2 into greater alignment with certain aspects of the HIPAA Privacy rule.

The NPRM seeks to address the CARES Act mandate as Americans and their leaders struggle to continue to provide pathways for victims of substance abuse and other mental health challenges to pursue treatment and maximize their participation and enjoyment in our communities while addressing safety concerns about a growing series of rare but notorious acts of violence committed by certain inadequately diagnosed or managed victims of mental health or substance abuse. See, e.g., Fact Sheet: President Biden To Announce Strategy To Address Our National Mental Health Crisis, As Part Of Unity Agenda In His First State Of The Union; President Biden Releases National Drug Control Strategy to Save Lives, Expand Treatment, and Disrupt Trafficking; Actions Taken by the Biden-⁠Harris Administration to Address Addiction and the Overdose Epidemic; Colorado Springs LGBT Nightclub Shooting Leaves Five Dead and 25 Injured; Virginia Walmart Shooting Gunman “Was Picking People Out,” Witness Says; Opinion: Leaders Blamed the Uvalde Shooting on a Mental Health Crisis. Gun Violence Is Making That Crisis Worse; Nancy Pelosi Husband Attack Suspect David Depape Pleads Not Guilty To Federal Charges.

Amid these challenges, the NPRM proposes to implement this CARES Act mandate through the following changes to Part 2 that HHS says will help safeguard the health and outcomes of individuals with SUD while creating greater flexibility for information sharing envisioned by Congress in its passage of Section 3221 of the CARES Act:

Permit Part 2 programs to use and disclose Part 2 records based on a single prior consent signed by the patient for all future uses and disclosures for treatment, payment, and health care operations;
Permit the redisclosure of Part 2 records as permitted by the HIPAA Privacy Rule by recipients that are Part 2 programs, HIPAA covered entities, and business associates, with certain exceptions;
Expand prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, or legislative proceedings conducted by a federal, state, or local authority against a patient, absent a court order or the consent of the patient;
Create two patient rights under Part 2 that align with individual rights under the HIPAA Privacy Rule:
- Right to an accounting of disclosures; and
- Right to request restrictions on disclosures for treatment, payment, and health care operations;
Require disclosures to the Secretary for enforcement;
Apply HIPAA and HITECH Act civil and criminal penalties to Part 2 violations;
Require Part 2 programs to establish a process to receive complaints of Part 2 violations;
Prohibit Part 2 programs from taking adverse action against patients who file complaints;
Prohibit Part 2 programs from requiring patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services;
Apply the standards in the HITECH Act and the HIPAA Breach Notification Rule to breaches of Part 2 records by Part 2 programs;
Modify the Part 2 confidentiality notice requirements (“Patient Notice”) to align with the HIPAA Notice of Privacy Practices;
Modify the HIPAA Notice of Privacy Practices requirements for covered entities who receive or maintain Part 2 records to include a provision limiting redisclosure of Part 2 records for legal proceedings according to the Part 2 standards; and
Permit investigative agencies to apply for a court order to use or disclose Part 2 records after they unknowingly receive Part 2 records while investigating or prosecuting a Part 2 program, when certain preconditions are met.

While the Department is undertaking this rulemaking, the current Part 2 regulations remain in effect. However, once the comment period ends, the Biden Administration-led HHS is expected to finalize the proposed changes quickly. Consequently, in addition to sharing any concerns or other input about the proposed changes during the comment period, health care providers, health plans, health care clearinghouses, employers, community agencies, state and local governments, patients and other caregivers and other concerned parties also should begin planning and preparing to respond to the anticipated changes in the requirements.

Implications For Businesses & Their Health Plans

Businesses should carefully assess the potential implications of the proposed changes on their worker and vendor credentialing and workplace safety practices as well as their health and other benefit programs. Assuming the changes are adopted in their current form, businesses sponsoring health benefit programs generally, and health care organizations and providers specifically should prepare to modify their HIPAA required notices of privacy practices and associated practices to comply with the proposed updates.

Businesses required to comply with Department of Transportation Drug Free Workplace or other alcohol and substance abuse requirements also should consider the potential implications of the proposed changes on their ability to secure relevant substance abuse treatment and related history. In assessing these implications, businesses also should be cognizant of a new proactivity on behalf of certain uses of drugs by workers in the workplace under the Americans With Disabilities Act (“ADA”). For instance, the EEOC recently has sued Eagle Marine Services Electrical & Refrigeration, LLC for allegedly violating the ADA by refusing to hire or accommodate a worker because he used medication prescribed by his doctor to treat attention deficit hyperactivity disorder (“ADHD”) without making any individual assessment of the worker’s medication use or whether it would affect his ability to safely perform the marine electrician position, and instead relied on general stereotypes about disability and medication use to justify its decision not to hire him. Businesses seeking to investigate or deny employment opportunities to workers based on the worker’s past or current medication use will want to use care to ensure that their practices are tailored to defend against similar challenges.

Health plan sponsors and insurers also should assure their mental health and substance abuse treatment coverage documents and practices are defensible under the latest mental health and substance abuse parity mandates of the Mental Health Parity and Addiction Equity Act (MHPAEA) and coverage requirements of the Patient Protection and Affordable Care Act (“ACA”). Along with a host of statutory changes since the original parity mandates took effect, implementing regulations and guidance about non-qualitative limitations and exclusions and heightened agency enforcement are ramping up enforcement and liability risks. In addition to exposing the health plan administrators and other fiduciaries to potential claims denial or fiduciary responsibility claims brought by participants or beneficiaries, the Department of Labor or both, administrative penalties by the EBSA, or both, the MHPAEA mental health and substance abuse parity rules are among 40 federal mandates that when violated can trigger the automatic $100 per violation per day employer excise tax penalty under Internal Revenue Code Section 6039D. As a consequence, violations of the MHPAEA are particularly risky and potentially expensive for private employers, their health plans and the plan administrators and fiduciaries that administer it.

For Help With Comments, Investigations Or Other Needs

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources available including:

Comments Off on Proposed Changes To Substance Abuse Confidentiality Rules Could Create New Burdens For Employers & Health Plans | ADA, Corporate Compliance, Employer, Employers, government employer, health Care, Health Plans, Mental Health, Mental Health Parity, Public Policy | Tagged: Employee Benefits, Employer, ERISA, Health Care, Health Insurance, Health Plans, HIPAA, Human Resources, Mental Health, Privacy, substance abuse | Permalink
Posted by Cynthia Marcotte Stamer

Eased Opiate Prescription Guidelines Could Impact Employers & Health Plans

November 3, 2022

The Centers for Disease Control released updated opiate prescription guidance today, loosening restrictions on prescription of the pain management narcotics under certain conditions.

Ironically the new guidance loosening opiate prescription guidelines comes on the heels of the announcement yesterday of sellements of opiate litigation against CVS and Walgreens brought by multiple states’ seeking to recover states’ costs arising from citizens ‘ addicted to opiates.

Guideline changes are likely to implicate prescribing practices as well as some prescription drug coverages, as well as electronic recordkeeping and prescribing systems.

Among other things, depending on the plan design, the revised restrictions may have implications for prescription drug coverage design and practices. Easing availability even under these new standards also likely will increase access, creating additional concerns for employers and plans about addiction and associated costs. The introduction of potential opportunities for addiction raises particular concerns for health plans and their sponsors because of federal healthcare parity mandates for mental health and substance abuse coverage as well as Biden Administration recently announced expanded expectations of employers to provide accommodation and other changes to welcome individuals impacted by substance-abuse into their workplaces.

Slay tuned for more details about the new guidelines and other health care and life sciences relevant developments.