Businesses Should Confirm Using Benefits, Meeting Mandates Of Special COVID-19 Tax Rules

June 26, 2020

Earlier this week, the Internal Revenue Service (“IRS”) announced that employee benefit plan participants that already took a required minimum distribution (RMD) in 2020 from certain retirement accounts now has the opportunity through August 31, 2020 to roll those funds back into a retirement account following the Coronavirus Aid, Relief, and Economic Security (CARES) Act RMD waiver for 2020.  The announcement of this relief covers one of a long and growing list of special tax and other COVID-19 responsive special rules and requirements that may change requirements, provide special relief or both for businesses and individuals that every business leader and individual should carefully monitor and respond to appropriately.

Retirement Plan Rollover Relief

On July 23, 2020, the IRS announced its extension of the 60-day rollover period for any RMDs already taken this year to August 31, 2020 to give taxpayers time to take advantage of this opportunity in Notice 2020-51 (PDF).  The Notice also answers questions regarding the waiver of RMDs for 2020 under the Coronavirus Aid, Relief, and Economic Security Act, known as the CARES Act.

The CARES Act enabled any taxpayer with an RMD due in 2020 from a defined-contribution retirement plan, including a 401(k) or 403(b) plan, or an IRA, to skip those RMDs this year. This includes anyone who turned age 70 1/2 in 2019 and would have had to take the first RMD by April 1, 2020. This waiver does not apply to defined-benefit plans.

In addition to the rollover opportunity, an IRA owner or beneficiary who has already received a distribution from an IRA of an amount that would have been an RMD in 2020 can repay the distribution to the IRA by August 31, 2020. The notice provides that this repayment is not subject to the one rollover per 12-month period limitation and the restriction on rollovers for inherited IRAs.

The notice provides two sample amendments that employers may adopt to give plan participants and beneficiaries whose RMDs are waived a choice as to whether or not to receive the waived RMD.

Other COVID-19 Tax Rules & Relief

The guidance and relief in Notice 2020-51 highlights only one of a long list of special COVID-19 associated tax rules and relief that could apply to a business, its employees or employee benefit plan participants or both including the following:

Along with these tax rules, businesses and their employees also may be impacted by a broad range of special federal and state labor and employment and other rules adopted in response to the continuing COVID-19 health care emergency and its fallout.  Businesses and their leaders should carefully review and monitor these and other COVID-19 specific rules to ensure that their businesses don’t trigger unanticipated liability by failing to meet critical requirements or to ensure that they take full advantage of all available relief.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years legal and operational management work, coaching, public policy and regulatory affairs leadership and advocacy, training and public speaking and publications. As a significant part of her work, Ms. Stamer has worked extensively domestically and internationally on an demand, special project and ongoing basis with health industry, health plan and insurance and other businesses of all types, government and community organizations and their leaders, spoken and published extensively on workforce and other services, compensation and benefits, and related tax; insurance; workers’ compensation and occupational disease; business reengineering, disaster and distress;  and many other management concerns.

Board Certified in Labor and Employment Law By the Texas Board of Legal Specialization, Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, and the ABA RPTE Employee Benefits & Other Compensation Group and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has extensive experience advising, representing, defending and training health care providers, health plans and insurers, employers, community organizations and others about HIPAA and other privacy concerns and has published and spoken extensively on these concerns.

Her involvement with HIPAA and other privacy and data concerns has taken place as part of her more than 30 years involvement working with with public and private health industry, health insurance and other employers and organizations of all sizes, employee benefit plans, insurance and financial services, health industry and a broad range of public and private domestic and international business, community and government organizations and leaders on pandemic and other health and safety, workforce and performance preparedness, risks and change management, disaster preparedness and response and other operational and tactical concerns throughout her adult life. A former lead advisor to the Government of Bolivia on its pension  project, Ms. Stamer also has worked internationally and domestically as an advisor to business, community and government leaders on crisis preparedness and response, privacy and data security, workforce, health care and other policy and enforcement, as well as regularly advises and defends organizations about the design, administration and defense of their organizations workforce, employee benefit and compensation, safety, discipline and other management practices and actions.

Ms. Stamer also serves in leadership of a broad range of professional and civic organizations and shares insights and thought leadership through her extensive publications and public speaking. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.  ©2020 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.


Ezekiel Elliott COVID-19 Diagnosis Disclosure Outrage Highlights Need To Handle COVID-19 & Other Medical Information With Care

June 16, 2020

While most COVID-19 test results won’t draw the widespread coverage and public interest that Elliott’s diagnosis did, businesses generally and health care providers, health plans, health care clearinghouses specifically need to recognize that coverage of the Elliott outrage will heighten awareness and therefore their need to properly handle and protect COVID-19 or other infectious disease and other testing, diagnosis, treatment and other medical and disability information collected or encountered in the course of their operation through the current COVID-19 health care emergency and otherwise in their own organizations.

ADA Responsibilities of Employers In Handling Medical Information

Protecting COVID-19 testing and other medical information isn’t just a concern for covered entities and their business associates, however.  Businesses that are not covered entities also generally should use care in their collection, use, protection and disclosure of COVID-19 testing and other medical information to mitigate their potential liability under the disability discrimination requirements of the ADA, the Rehabilitation Act  and other laws.   For instance, along with prohibiting employers covered by the ADA from discriminating against qualified individuals with disabilities and requiring those employers to provide reasonable accommodations to such employees, the ADA also regulates the ability of covered employers to perform or require medical testing and imposes specific medical confidentiality requirements on all covered employers.  See e.g., What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws.

The ADA’s medical confidentiality requirements dictate that covered employers maintain medical information and records about employees and applicants in separate, confidential files.  Covered employers are responsible for maintaining the confidentiality of medical information and records and cannot disclose it without authorization from the subject employee except under the specific conditions allowed by the ADA.

EEOC guidance provided in its publication entitled Pandemic Preparedness in the Workplace and the Americans With Disabilities Act as updated as of March 19, 2020 emphasizes that covered employers remain accountable for complying with the requirements of the ADA and Rehabilitation Act during the current COVID-19 health care emergency and other pandemics.

While the EEOC Technical Assistance Questions and Answers in its publication What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws
Technical Assistance Questions and Answers as updated on June 11, 2020 recognizes temperature checks and certain other COVID-19 inquiries to screen for COVID-19 exposure or infection might be permitted under the safety exception to the ADA during the current COVID-19 health care emergency, that and other EEOC guidance makes clear that covered employers remain responsible for ensuring that the ADA medical confidentiality requirements are met with regarding to testing and related medical information.  As a result, all ADA-covered employers generally and health care employers specifically are urged to use care both in the administration and collection of information regarding COVID-19 testing and diagnosis, and the protection of the confidentiality of COVID-19 and other medical information and records collected in the course of administering employment, safety, medical leave or other absence or other operations throughout the COVID-19 health care emergency.

Added HIPAA & Texas HIPAA Concerns For Health Plans & Other HIPAA Covered Entities

Assuming that the disclosure of Elliott’s information is traced to a testing provider, laboratory or other health care provider, health plan or insurer, health care clearing house subject to HIPAA (“covered entity”), a service provider acting as a business associate to a covered entity, or a member of their workforce, the unauthorized release of Elliott’s test results, that he underwent the testing, or other medical information, Elliott’s complaint about a possible HIPAA violation could be well-founded as both HIPAA and the somewhat broader provisions of the Texas Medical Privacy Act (“Tex-HIPAA”) (hereafter collectively the “HIPAA Laws”) both generally prohibit unauthorized disclosure of protected medical information such as his COVID-19 test or test results to the media.

The COVID-19 test results and of “individually identifiable personal health information” about Elliott and his encounter created, used, access or disclosed by the testing facility or other health care provider, a health plan, health care clearinghouse (“covered entity”) or a member of its workforce or a subcontractor acting as a business associated qualify as “protected health information subject to HIPAA’s privacy, security, breach and privacy rights protections of HIPAA and Tex-HIPAA.

The HIPAA and Tex-HIPAA prohibition against unauthorized disclosure of protected health information to the media stem from the HIPAA Laws’ broader requirement that covered entities and business associates affirmatively safeguard protected health information against unauthorized use, access or disclosure and sweeping prohibition against their disclosing or allowing the disclosure of protected health information without a HIPAA-compliant authorization except under the narrow and specifically delineated exceptions identified in the rule, none of which appear relevant to the media disclosure objected to by Elliott from the currently available public information.

Both HIPAA Laws expressly prohibit unauthorized disclosure of protected health information by covered entities or their business associates except under the specifically detailed conditions specified in one or more exceptions to this general rule.  Assuming all relevant conditions to qualify for the exception are met, HIPAA does allow covered entities and business associates treatment, payment, operations, public health activities or another situation meeting all applicable requirements of an express exception to the HIPAA prohibition against disclosure.

The federal agency primarily responsible for the implementation and enforcement of HIPAA, the Department of Health & Human Services Office of Civil Rights (“OCR”) regulatory guidance and enforcement history clearly communicates OCR’s view that covered entities or business associates violate HIPAA by disclosing protected health information to the media or other third parties without first obtaining a HIPAA-compliant authorization from the subject of the information except under the specific circumstances described in an applicable Privacy Rule exception.

In its May 5, 2020 Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their Facilities (“5/5 Guidance”), for instance, OCR specifically reminded HIPAA covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to protected health information including access to facilities where patients’ protected health information will be accessible without the patients’ prior authorization. has made clear that testing facilities and other health care providers generally remain accountable for complying with the HIPAA Privacy Rule that prohibits unauthorized use, access or disclosure of test results and other protected health information except   as specifically allowed in the applicable HIPAA Law.

The 5/5 Guidance specifically states, “The COVID-19 public health emergency does not alter the HIPAA Privacy Rule’s existing restrictions on disclosures of protected health information (PHI) to the media.’  Additionally, it states confirmed that even during the current COVID-19 public health emergency, covered health care providers remain required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before the media is given access to that PHI. In this regard, the 5/5 Guidance states, As explained in prior guidance,1 HIPAA does not permit covered health care providers to give the media, including film crews, access to any areas of their facilities where patients’ PHI will be accessible in any form (e.g., written, electronic, oral, or other visual or audio form), without first obtaining a written HIPAA authorization from each patient whose PHI would be accessible to the media. 2 Additionally, covered health care providers may not require a patient to sign a HIPAA authorization as a condition of receiving treatment.  The guidance clarifies that masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient is not sufficient, as a valid HIPAA authorization is still required before giving the media such access.  Additionally, the guidance describes reasonable safeguards that should be used to protect the privacy of patients whenever the media is granted access to facilities.

OCR’s positions on disclosures to the media in the 5/5 Guidance reaffirm OCR’s longstanding interpretation and enforcement of HIPAA as prohibiting disclosures of PHI and media access to areas where patients or their protected health information might be visible or accessible is long standing.

In June, 2013, for instance, OCR sent a clear message to covered entities and business associates not to make unconsented disclosures of protected health information to or allow media access to areas where patients or their protected health information could be accessed or observed when it required Shasta Regional Medical Center (SRMC) to pay $275,000 to resolve OCR HIPAA charges stemming from SRMC’s unauthorized disclosure of protected health information to multiple media outlets as part of a public relations effort to mitigate damage from fraud and misconduct allegations made against it by the patient.  See HIPAA Sanctions Triggered From Covered Entity Statements To Media, Workforce.

OCR subsequently reinforced its warning to covered entities and business associates about  unauthorized disclosures of protected health information in a 2016 Frequently Asked Question (Media FAQ) that discussed covered entities HIPAA responsibilities when dealing with the media.  The Media FAQ was issued in conjunction with OCR’s collection of its $2.2 million settlement with New York-Presbyterian Hospital and a series of other settlements totaling $999,000 from three other health care providers accused of violating HIPAA by allowing media personnel into treatment or other areas where patients or patient protected health information was accessible without first obtaining a HIPAA compliant written authorization from each patient or other subject present or whose protected health information otherwise would be accessible to the media.  See $999K Price Hospitals Pay To Settle HIPAA Privacy Charges From Allowing ABC To Film Patients Without Authorization.

In the Media FAQ, OCR stated HIPAA required covered entities to obtain prior written authorization before disclosing protected health information to the media or allowing media to film or access exam rooms or other areas where patients or protected health information could be observed or accessed.  The Media FAQ also stated that masking or blurring the identity of the patient or their specific information was not an adequate substitute for written authorization and that covered entities also were responsible for ensuring that reasonable safeguards were in place to protect against impermissible disclosures or to limit incidental disclosures of other PHI in areas where media is allowed access where prior authorization has not been obtained.  While stressing the importance of compliance with these requirements, however, the Media FAQ clarified that the HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public like public waiting areas or areas where the public enters or exits the facility In addition, the Media FAQ states a health care provider or other Covered Entity also highlighted certain other limited circumstances where HIPAA might allow limited disclosure of protected health information to the media in accordance with specific provisions of the Privacy Rule about an incapacitated patient when in the patient’s best interest; or disclose a patient’s location in the facility and condition in general terms that do not communicate specific medical information about the individual to the media or any other person any person where the individual has not objected to his information being included in the facility directory and the media representative or other person asks for the individual by name.

In the intervening years, OCR periodically has issued additional reminders to covered entities about HIPAA’s general prohibition against unconsented disclosures to the media as well as sanctioned harshly various covered entities for violating these prohibitions.  In 2017, OCR required the largest not-for-profit health system in Southeast Texas, Memorial Hermann Health System (MHHS), to pay OCR $2.4 million to settle charges it violated HIPAA by issuing a press release to the media that shared the name and other protected health information about a patient suspected of using a fraudulent insurance card to obtain care at a clinic without the patient’s prior HIPAA-compliant authorization. While OCR concluded a report made MHHS made to law enforcement about the patient was allowable under the Privacy Rule, OCR found MHHS violated the Privacy Rule by issuing the press release disclosing the patient’s name and other PHI without authorization from the patient and also by failing to timely document the sanctioning of its workforce members for impermissibly disclosing the patient’s information.  See $2.4M HIPAA Settlement Warns Providers About Media Disclosures Of PHI.

While OCR has announced certain temporary enforcement relief from a narrow set of HIPAA requirements during the COVID-19 health care emergency as applied to certain qualifying testing facilities, telemedicine providers and other specific health care providers engaging in certain  types of health care during the COVID-19 health care emergency, OCR consistently has made clear that its COVID-19 HIPAA relief is very limited in scope, applicability and duration and in no way waives the prohibition against unauthorized disclosure to the media or other third parties not generally permitted under HIPAA.  See e.g., 5/5 Guidance; OCR Issues Guidance on How Health Care Providers Can Contact Former COVID-19 Patients About Blood and Plasma Donation Opportunities; OCR Announces Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health EmergencyOCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency; OCR Issues Bulletin on Civil Rights Laws and HIPAA Flexibilities That Apply During the COVID-19 Emergency; OCR Issues Guidance to Help Ensure First Responders and Others Receive Protected Health Information about Individuals Exposed to COVID-19; OCR Issues Guidance on Telehealth Remote Communications Following Its Notification of Enforcement Discretion; OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency.  To the contrary, OCR’s announcement of the 5/5 guidance quotes OCR Director Roger Severino, as stating “Hospitals and health care providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it,” Severino added.

Minimize Exposures By Preventing Unauthorized Media & Other Disclosures

Even without Mr. Elliott’s outrage heightening awareness about HIPAA’s prohibitions against unauthorized disclosures of protected health information to the media, the recent warning about HIPAA’s restrictions on media disclosure and access to protected health information and patient treatment areas in OCR’s 5/5 Guidance alone should serve as a strong incentive for covered entities and business associate promptly to reverify that the adequacy of their current policies, practices and training to prevent inappropriate media disclosures of protected health information and otherwise defend their compliance with OCR’s interpretation of HIPAA’s requirements for dealing with the media.  Predictable heightened patient and public awareness and expectations about these and other HIPAA responsibilities fueled by the widespread media coverage of Mr. Elliott’s COVID-19 test results and his outrage about the unauthorized disclosure of his test results makes it more important than ever that health care providers and other covered entities and business associates take steps to prepare to respond to foreseeable complaints and questions by other patients, their families and others.

As part of these efforts, most covered entities and business associates may want to consider, at minimum, reconfirming the adequacy and understanding of their current media and other disclosure policies and practices, as well as sending strategic communications to their business associates and members of their workforce reminding them of the covered entity’s policies regarding media access and disclosures.

As part of these activities, covered entities should consider conducting a well-documented assessment of their current policies, practices and workforce training on disclosure of information to the media and other parties generally, as well as policies on allowing media or other parties to enter, film, photograph or record within their facilities or otherwise disclosing or allowing media access to their facilities.  Along with these efforts, most covered entities also may want to consider also reminding workforce members that their patient privacy responsibilities also requires that they not share or discuss patient protected health information, film, photograph, or otherwise record, patients or areas where patients or patient protected health information is or might be present without prior written consent of the patient and the consent of their organization.

Since covered entities and members of their workforce also are likely to be subject to other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by the HIPAA Laws such as medical confidentiality duties applicable to physicians and other health care providers under medical ethics, professional licensure or other similar rules, contractual responsibilities, as well as common law or statutory privacy, theft of likeness or other statutory or common law tort claims and exposures.  Covered entities and business associates generally should consider whether other steps are advisable to manage these exposures along with managing their HIPAA Law compliance.

Given the high incidence of COVID-19 exposure and infection within their workplace, covered entities, business associates and other employers should use care fulfill their HIPAA Law relevant employment law confidentiality responsibilities when dealing with testing or other medical information about employees.  In this respect, along with any HIPAA Law obligations that a covered entity or business associate has in handling medical information about a patient who also is an employee or family member of an employee, covered entities also should use care to ensure that medical confidentiality requirements of the Americans With Disabilities Act (“ADA”) and other applicable employment laws are met.

Since this analysis and review in most cases will result in the uncovering or discussion of potentially legally or politically sensitive information, Covered Entities should consider consulting with or engaging experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.

Finally, covered entities should keep in mind that HIPAA and other medical privacy compliance and risk management is an ongoing process requiring constant awareness and diligence.  Consequently, covered entities and business associates also should use care both to monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years legal and operational management work, coaching, public policy and regulatory affairs leadership and advocacy, training and public speaking and publications. As a significant part of her work, Ms. Stamer has worked extensively domestically and internationally on an demand, special project and ongoing basis with health industry, health plan and insurance and other business, government and community organizations and their leaders, spoken and published extensively on HIPAA and other privacy and data security concerns, as well as other health care and health benefits;  human resources, employee benefits and other workforce and services; insurance; workers’ compensation and occupational disease; business reengineering, disaster and distress;  and many other management concerns.

Board Certified in Labor and Employment Law By the Texas Board of Legal Specialization, Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, and the ABA RPTE Employee Benefits & Other Compensation Group and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has extensive experience advising, representing, defending and training health care providers, health plans and insurers, employers, community organizations and others about HIPAA and other privacy concerns and has published and spoken extensively on these concerns.

Her involvement with HIPAA and other privacy and data concerns has taken place as part of her more than 30 years involvement working with with public and private health industry, health insurance and other employers and organizations of all sizes, employee benefit plans, insurance and financial services, health industry and a broad range of public and private domestic and international business, community and government organizations and leaders on pandemic and other health and safety, workforce and performance preparedness, risks and change management, disaster preparedness and response and other operational and tactical concerns throughout her adult life. A former lead advisor to the Government of Bolivia on its pension  project, Ms. Stamer also has worked internationally and domestically as an advisor to business, community and government leaders on crisis preparedness and response, privacy and data security, workforce, health care and other policy and enforcement, as well as regularly advises and defends organizations about the design, administration and defense of their organizations workforce, employee benefit and compensation, safety, discipline and other management practices and actions.

Ms. Stamer also serves in leadership of a broad range of professional and civic organizations and shares insights and thought leadership through her extensive publications and public speaking. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.  ©2020 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.


2019 OCR Enforcement Shows Getting Defensibly HIPAA Compliant Necessary In 2020!

January 1, 2020

The $65,000 payment and corrective action plan commitments West Georgia Ambulance, Inc. (“West Georgia”) is making to settle Department of Health & Human Services Office for Civil Rights (“OCR”) charges it recurrently violated the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule and other 2019 HIPAA enforcement sends a clear warning to other HIPAA-covered health plans, health care providers, health care clearighouses and their business associates (“covered entities”) to maintain and be prepared to defend their own HIPAA compliance.

The Western Georgia Resolution Agreement and Corrective Action Plan (“Resolution Agreement”) OCR announced on December 30, 2019 resolves charges resulting from an OCR investigation initiated in response to a HIPAA breach report the Georgia based ambulance company filed in 2013 in which the company, which provides emergency and non-emergency ambulance services in Carroll County, Georgia,  disclosed the loss of an unencrypted laptop containing the protected health information (PHI) of 500 individuals. The breach occurred when an unencrypted laptop fell off the back bumper of an ambulance. The laptop was not recovered.  West Georgia reported that exactly 500 individuals were affected by the breach.

In the course of its investigation of the breach report, OCR’s investigation uncovered long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. Specifically, the Resolution Agreement states that West Georgia:

  • Did not conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI. See 45 C.F.R. § 164.308(a)(1)(ii)(A);
  • Failed to have a HIPAA security training program, and failed to provide security training to its employees. See 45 C.F.R. § 164.308(a)(5);
  • Failed to implement Security Rule policies or procedures. See 45 C.F.R. § 164.316; and
  • Despite OCR’s investigation and technical assistance, “did not take meaningful steps to address their systemic failures.”

To resolve its exposure to the substantially higher civil monetary penalties that OCR could impose for violations of this nature, West Georgia agreed to pay a $65,000 resolution payment to OCR and implement and comply with a corrective action plan that in addition to requiring West Georgia to correct the compliance deficiencies, also subjects West Georgia to two years of OCR monitoring and oversight.

The Resolution Agreement and corrective action plan carry a number of important messages for other health care providers and other Covered Entities.  First, the OCR enforcement action against West Georgia coming at the end of yet another heavy HIPAA enforcement year by OCR reminds Covered Entities that OCR is serious about HIPAA enforcement on the heels of its 2018 HIPAA record setting collection of $28.7 million in civil monetary penalties and resolution payments including the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc. See OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement.  While not topping this record, OCR during 2019 now has collected civil monetary penalties and resolution payments totaling more than $15 million from HIPAA Covered Entities and their business associates including:

Second, the Resolution Agreement and various other smaller settlements during the year show HIPAA compliance and enforcement is a concern for smaller provideres and other covered entities, not juswt the huge ones.  While the $65,000 settlement payment required by the Resolution Agreement is substantially smaller than the amounts of the civil monetary penalties and many of resolution payments OCR collected in its other 2019 enforcement actions, the West Georgia and other 2019 enforcement actions demonstrate the teeth behind the warning in the OCR Press Release announcing the West Georgia Resolution Agreement from OCR Director Roger Severino that“All providers, large and small, need to take their HIPAA obligations seriously.”  With OCR promises to keep up its vigorous investigation and enforcement of the HIPAA requirements, every Covered Entity and business associate should take the necessary steps to verify and maintain their HIPAA compliance and to be prepared to defend their compliance under the Privacy, Security, Breach Notification and HIPAA access and other individual rights mandates of HIPAA.

Third, OCR’s statement in the Resolution Agreement about the failure by West Georgia to meaningfully act to correct compliance deficiencies and cooperate in other corrective action during the period following the breach report highlights the importance for covered entities involved in a breach or other dealings with OCR on a potential compliance concern to behave appropriately to  express and exhibit the necessary concern OCR expects regarding the compliance issue to position themselves to request and receive the clemency OCR is empowered under HIPAA to extend when deciding the sanctions for any noncompliance.

Of course meeting the requirements of HIPAA is not the only concern that covered entities should consider as they review and tightened their HIPAA and other privacy and data security procedures.  Health care providers and other covered entities also should keep in mind their other obligations to protect patient and other confidential information under other federal laws, the requirements of which also are ever-evolving.  For instance, on January 1, 2020 Texas providers like other Texas businesses will become subject to a shortened deadline for providing notice of data breaches under a new law enacted by the Texas Legislature in its last session.  Arrangements should be designed to fulfill all of these requirements as well as any ethical or contractual.

Covered entities also should keep in mind that violations of HIPAA can have implications well beyond HIPAA.ramifications beyond HIPAA itself.  For instance, heath care providers can face disqualification from federal program participation, licensing and ethics discipline and other professional consequences.  Health plans and their fiduciaries also may face Department of Labor and other fiduciary claims, while insurers can face licensing and other regulatory consequences. The Labor Department followed up on previous warnings that health plan fiduciaries duties include a fiduciary duty to protect health plan data by adding HIPAA compliance to certain health plan audits. Insurers, third of art administrators and others also can face duties and liabilities under state insurance and data privacy laws from regulator or private litigant actions.

For More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with the Department of Health & Human Services Office of Civil Rights, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer has extensive legal, operational, and public policy experience advising and representing health care, health care and other entities about HIPAA and other privacy, data security, confidentiality and other matters.

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services, public and private primary, secondary, and other educational institutions, and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has recurrently worked extensively with public school districts and public and private primary and secondary schools, colleges and universities, academic medical, and other educational institutions, insured and self-insured health plans; domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, employers; and federal and state legislative, regulatory, investigatory and enforcement bodies and agencies on health care, education, and other data privacy, security, use, protection and disclosure; disability and other educational rights; workforce, and a host of other risk management and compliance concerns.

Ms. Stamer is most widely recognized for her decades-long leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.


Health Plans Must Share PHI To Apps When Members Request, Responsible For Security On Plan-Sponsored Apps

April 30, 2019

Health plans must deliver electronic protected health information (“ePHI”) to electronic applications or software (“apps”) used by plan members, and are responsible under the Health Insurance Portability & Accountability Act (“HIPAA”) Privacy and Security Rules for the security of electronic protected health information (“ePHI”) on apps they sponsor or provide, according to new guidance from the Department of Health & Human Services (“HHS”) Office of Civil Rights (“OCR”).

With health plans and their sponsors and insurers increasingly offering or promoting the use of apps to plan members members to access, maintain and use their health information, health plans, health care providers, health care clearinghouses and their business associates (“covered entities”) covered by HIPAA must understand and be prepared meet their HIPAA responsibilities to provide and protect ePHI to and on these apps, but may want to rethink sponsoring or providing a particular app for that purpose.

New HIPAA FAQ guidance (the “FAQs”) from OCR that addresses the implications of HIPAA on covered entities responsibility when asked to share or for ePHI shared or stored on apps or application programming interfaces (“APIs”) systems, covered entities have a legal obligation to disclose ePHI to an app when subjects of the ePHI or their personal representatives request such disclosures. However, the FAQs also state a covered entity or its business associates won’t be responsible for the security of the data shared to the app unless it sponsors or provides it. 

pends upon whether the AP or API interface provider is a business associate of the covered entity versus just a third-party provider whose involvement and receipt of the PHI is requested and arranged by the subject of the PHI.

Covered Entities Obligated To Disclose ePHI to Apps Chosen By Individuals

The FAQs make crystal clear that covered entities do not have the option of refusing to share ePHI to an app when requested to do so by the subject of the ePHI or its personal representative. The FAQs states that covered entities cannot refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives. In this regard, the FAQs state that the HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii).According to the FAQ, the HIPAA Rules do not impose any restrictions on how an individual or the individual’s designee, such as an app, may use the health information that has been disclosed pursuant to the individual’s right of access. For instance, a covered entity is not permitted to deny an individual’s right of access to their ePHI where the individual directs the information to a third-party app because the app will share the individual’s ePHI for research or because the app does not encrypt the individual’s data when at rest.According to the FAQs, the liability a covered entity or business associate bears for sharing ePHI to an App under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) depends on the relationship between the covered entity and the app.

Breaches of Health Information Disclosed To An App

If an app that is neither a covered entity nor a business associate of the covered entity under HIPAA receives ePHI at the request of the subject or its personal representative, the FAQ states that the shared ePHI is no longer subject to the protections of the HIPAA Rules. Thus if the individual’s app – chosen by an individual to receive the individual’s requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app. For example, the covered entity would have no HIPAA responsibilities or liability if such an app that the individual designated to receive their ePHI later experiences a breach. See also, See also OCR FAQ 2039, “What is the liability of a covered entity in responding to an individual’s access request to send the individual’s PHI to a third party.In contrast, however, the FAQ states that if the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the FAQs state that the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.

Transmission of ePHI to App Using Unsecured Method

The FAQs also address the potential exposures of covered entities and their business associates arising from the transmission of ePHI to an App using an unsecure method. According to the FAQs, the access rights HIPAA guarantees to individuals allows an individual to request that a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience. The FAQ states that a covered entity that transmits ePHI through an unsecured means under such circumstances would not be responsible for unauthorized access to the individual’s ePHI while in transmission to the app. With respect to such apps, however, the FAQs also suggest that the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.

Post Transmission Exposure of Covered Entity’s EHR Systems Developer

The FAQ also discusses the potential exposure of a covered entity’s electronic health record (EHR) system developer under HIPAA after completing the transmission on behalf of a covered entity of ePHI to an app designated by the subject of the ePHI. According to the FAQs, the exposure of the HER system developer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through or on behalf of, the covered entity (directly or through another business associate), however, the FAQs state the EHR system developer then potentially could face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

Covered Entity’s Duty To Enter Into Business Associate Agreement Depends Upon Relationship

Likewise, the FAQs also state that whether HIPAA requires a a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app depends upon the relationship between the app developer and the covered entity and/or its EHR system developer. A business associate is a person or entity who creates, receives, maintains or transmits PHI on behalf of (or for the benefit of) a covered entity (directly or through another business associate) to carry out covered functions of the covered entity. An app’s facilitation of access to the individual’s ePHI at the individual’s request alone does not create a business associate relationship. Such facilitation may include API terms of use agreed to by the third-party app (i.e., interoperability arrangements).HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain, or transmit ePHI on behalf of or for the benefit of the covered entity (whether directly or through another business associate).  However if the app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was provided by or on behalf of the covered entity (directly or through its EHR system developer as the covered entity’s business associate), then a business associate agreement would be required.

Health Plan & Other Covered Entity Take Aways

The new FAQ raises several action items for health plans, their sponsoring employers or unions, fiduciaries, administrators, brokers and insurers as well as other covered entities.  Among other things, health plans and other covered entities must recognize and be prepared currently to provide PHI to subjects of that information on the apps of the requesting individual’s preference within the time frames dictated by HIPAA.  Health plans and other covered entities need to recognize that the FAQs reflect this is a current, not future responsibility.

Second, health plans, health care providers and others that have or are considering providing apps or other tools to health plan members or patients for use in accessing or using PHI also generally need to recognize that the health plan or health care provider generally will bear responsibility under HIPAA for the adequacy of the security of the apps provided by or on behalf of the health plan or health care provider.  Given the general responsibility to provide PHI to any apps designated by a subject of PHI, many health plans and health care providers may wish to reconsider whether providing or endorsing a particular app continues to make sense taking into account the HIPAA data privacy and security responsibilities and risks attendent to maintaining the security of PHI stored and accessed using those tools.  Those electing to provide apps or other tools need to take steps to ensure the current and future adequacy of the data security of the app and its associated storage and other components including any future modifications to those tools. 

Furthermore,  health plans and other covered entities also should consider the advisability of revising existing notices and authorizations in response to the new FAQs.  For instance, health plans, health  care providers and others supplying PHI to an app designated by the requesting individual may want to consider revising forms to document the direction and consent of the requestor to the electronic delivery of the PHI to the designated app to better position themselves to claim the protection against liability for breaches on these subject designate apps described in the FAQs.  Meanwhile, health plans or other covered entities providing apps also may wish to weigh options for supplementing disclosures to mitigate potential risks from use or failure to upgrade apps that might be viewed as covered entity provided or sponsored.   

Certainly, before sponsoring or allowing a business associate to offer or provide an app or other similar solution, health care providers and other covered entities must ensure that the business associate agreement requirements of HIPAA are met from the app developer and others providing services or the app as business associates to the covered entity.  Covered entities also should take steps to ensure that the interfaces between the apps and other systems are properly secured at the point of implementation and during any subsequent upgrades keeping in mind that OCR guidance expects covered entities to reconfirm security for any system, software or app upgrades.  Meeting this expectation for apps within the possession of patients or plan members can present special challenges requiring careful planning. 

Have questions about the new FAQs or other health care regulatory developments or their implications on your organization, contact the author.  You also are invited to stay abreast of these and other health care developments by participating in our Solutions Law Press, Inc. Linkedin HR & Benefits Update LinkedIn Group or COPE: Coalition On Patient Empowerment Group or Project COPE: Coalition on Patient Empowerment Facebook Page.

 

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;  managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third party administrative services organizations and other payer organizations;  billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompassess advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, heavily involved in health benefit, health care, health, financial and other information technology, data and related process and systems development, policy and operations throughout her career, and scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues. She regularly helps employer and other health benefit plan sponsors and vendors, health industry, insurers, health IT, life sciences and other health and insurance industry clients design, document and enforce plans, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors and suppliers; deal with Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA, state insurance law and other private payer rules and requirements; contracting; licensing; terms of participation; medical billing, reimbursement, claims administration and coordination, and other provider-payer relations; reporting and disclosure, government investigations and enforcement, privacy and data security; and other compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; HIPAA administrative simplification, meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, antikickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA, HEDIS and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.

Ms. Stamer has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

 


ONC New Emphasis On Health IT Interoperability Promises New Demands & Opportunities

January 8, 2019

Interoperability will be a key priority for the Office of the National Coordinator for Health Information Technology (“ONC”) going forward.

That’s the message in the just released 2018 Report to Congress: Annual Update on the Adoption of a Nationwide System for the Electronic Use and Exchange of Health Information (“Report”).

The planned shift to demand greater interoperability promises to create new demands for employer-sponsored health plans, health insurers and others involved in the healthcare delivery and payment processes. Health plans and their insurers and sponsors should begin preparing for these new demands, as well as to leverage the new opportunities and manage the new risks they will create.

The Report describes barriers, actions taken, and recommendations as well as ONC’s path forward to implement the 21st Century Cures Act.

Under the 21st Century Cures Act, Congress gave HHS authority to enhance innovation, scientific discovery, and expand the access and use of health information through provisions related to:

  • The development and use of upgraded health IT capabilities;
  • Transparent expectations for data sharing, including through open application programming interfaces (APIs); and
  • Improvement of the health IT end user experience, including by reducing administrative burden.

These priorities seek to increase nationwide interoperability of health information and reduce clinician burden..

Current Status

The Report says increases in the adoption of health IT means most Americans receiving health care services now have their health data recorded electronically. However, this information is not always accessible across systems and by all end users—such as patients, health care providers, and payers—in the market in productive ways. For example:

  • Despite the individual right to access health information about themselves established by the HIPAA Privacy Rule, patients often lack access to their own health information, which hinders their ability to manage their health and shop for medical care at lower prices;
  • Health care providers often lack access to patient data at the point of care, particularly when multiple health care providers maintain different pieces of data, own different systems, or use health IT solutions purchased from different developers; and
  • Payers often lack access to clinical data on groups of covered individuals to assess the value of services provided to their customers.
  • The Report says these limitations create several problems, including:
    • Patients should be able to easily and securely access their medical data through their smartphones. Currently, patients electronically access their health information through patient portals that prevent them from easily pulling from multiple sources or health care providers. Patient access to their electronic health information also requires repeated use of logins and manual data updates.
    • For health care providers and payers, interoperable access and exchange of health records is focused on accessing one record at a time.
    • Payers cannot effectively represent their members if they lack computational visibility into which health care providers offer the highest quality care at the lowest cost. Without the capability to access multiple records across a population of patients, health care providers and payers will not benefit from the value of using modern computing solutions—such as machine learning and artificial intelligence—to inform care decisions and identify trends.
    • Payers and employer group health plans which purchase health care have little information on health outcomes. Often, health care providers and payers negotiate contracts based on the health care provider’s reputation rather than on the quality of care that health care provider offers to patients. Health care providers should instead compete based on the entire scope of the quality and value of care they provide, not on how exclusively they can craft their networks. Outcome data will allow payers to apply machine learning and artificial intelligence to have better insight into the value of the care they purchase.
  • Current Barriers
  • According to the Report, HHS heard from stakeholders over the past year that barriers to interoperable access to health information remain, including technical, financial, trust, and business practice barriers. These barriers impede the movement of health information to where it is needed across the care continuum. In addition, burden arising from quality reporting, documentation, administrative, and billing requirements that prescribe how health IT systems are designed also hamper the innovative usability of health IT.
  • Current and Upcoming Actions
  • The Report states HHS has many efforts to help ensure that electronic health information can be shared safely and securely where appropriate to improve the health and care of all Americans.
  • ONC also reports Federal agencies, states, and industry have taken steps to address technical, trust, and financial challenges to interoperable health information access, exchange, and use for patients, health care providers, and payers (including insurers). HHS aims to build on these successes through the ONC Health IT Certification Program, HHS rulemaking, health IT innovation projects, and health IT coordination.
  • In accordance with the Cures Act, HHS is actively leading and coordinating a number of key programs and projects. These include continued work to deter and penalize poor business practices and that HHS conducted multiple outreach efforts to engage the clinical community and health IT stakeholders to better understand these barriers, challenges, and health care provider burden.
  • Recommendations
  • The Report makes the following overarching recommendations for future actions HHS plans to support through its policies and that the health IT community as a whole can take to accelerate progress:
    • Focus on improving interoperability and upgrading technical capabilities of health IT, so patients can securely access, aggregate, and move their health information using their smartphones (or other devices) and health care providers can easily send, receive, and analyze patient data.
      Increase transparency in data sharing practices and strengthen technical capabilities of health IT so payers can access population-level clinical data to promote economic transparency and operational efficiency to lower the cost of care and administrative costs.
      Prioritize improving health IT and reducing documentation burden, time inefficiencies, and hassle for health care providers, so they can focus on their patients rather than their computers.

    The Report also says interoperable access underpins HHS’s efforts to pursue a health care system where data are available when and where needed.

    ONC intends to particularly focus on promoting open APIs. Open APIs are technology that allow one software program to access the services provided by another software program and can improve access and exchange of health information. ONC says APIs can:

    • Support patients’ ability to have more access to information electronically through, for example, smartphones and mobile applications. HHS applauds the emergence of patient-facing applications that allow patients to access, aggregate, and act on their health information; and
    • Allow payers to receive necessary and appropriate information on a group of members without having to access one record at a time.
    • Increase institutional accountability, support value- based care models, and lead to competitive medical care pricing that benefits patients.

    The Report claims patients, health care providers, and payers with appropriate access to health information can use modern computing solutions to generate value from the data. Improved interoperability can strengthen market competition, result in greater quality, safety, and value for the healthcare system, and enable patients, health care providers, and payers to experience the benefits of health IT.

    Prepare For Enhanced Operability Requirements

    ONC’s plan to achieve greater interoperability presents new business and compliance planning opportunities and challenges for health care providers, health insurers and other payers, health data and information technology (IT) providers and others. Among other things, participants in the healthcare system and their suppliers will need to prepare to comply with new expectations and mandates for interoperability. Meeting these demands will require financial expenditures as well as present technological challenges.The increased availability and access to electronica medical records and information resulting from these changes also a can be expected to drive new challenges and demands. Among other things, businesses relying on control of health information or records to influence or control patience, reimbursement, or other business value need to reevaluate and adjust their business models accordingly.

    Improve accessibility and interoperability also is likely to create new expectations and demands by patients, payers, other providers and perhaps most significantly for providers and payers, regulators. Participants in the system will need to understand these applications and prepare to both defend their business performance as well as their compliance taking into account these new demands.

    Amid all of this, of course, providers, pears, and their business associates can anticipate continued if not enhanced demands for enhanced data security and privacy protections and accompanying enforcement of these standards.

    As ONC move forward on its plans to enhance interoperability, all concerned stakeholders will want to monitor developments and provide thoughtful and timely input. The time to get started is now. ONC and it’s sister agency, the Office of Civil Rights currently are inviting public comments about how to achieve these and other health IT and privacy improvements. Those interested in providing input should make sure their comments are submitted by the applicable deadlines next month.

    ONC and it’s sister agency, the Office of Civil Rights currently are inviting public comments about how to achieve these and other health IT and privacy improvements. Read the full Report here and share your input by the specified deadlines.

    About the Author

    Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

    Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health and employee benefit, health care, human resources and other staffing and workforce arrangements, contracts, systems, and processes.  As a continuous component of this work, Ms. Stamer has worked closely with these and other clients on the design, development, administration, defense, and breach and data recovery of health care, workforce, insurance and financial services, trade secret and other information technology, data and related process and systems development, policy and operations throughout her career.

    Scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues.

    Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors;  managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.

    A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.

    Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.

    Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.

    Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.

    A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about contracting, credentialing and quality assurance,  compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Author of works on Payer and Provider Contracting and many other managed care concerns, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

    For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2019. Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.


    Record $16M Anthem HIPAA Settlement Signals Need to Tighten Your Health Plan HIPAA Compliance & Risk Management

    October 16, 2018

    Health plans, their employer and other sponsors and fiduciaries, health insurers, health care providers, health care clearinghouses and their business associates should study and learn from the just announced, record-setting $16 million resolution agreement between health insurance giant, Anthem, Inc., to resolve Department of Health & Human Services Office of Civil Rights (OCR) charges that Anthem, Inc.’s violations of the Health Insurance Portability & Accountability Act (HIPAA) Privacy and Security Rules exposed the electronic protected health information (ePHI) of almost 79 million people.  In addition to reviewing the adequacy of their own HIPAA privacy and security practices, health plans, their employer and union sponsors and fiduciaries also should consider assessing the advisability of tightening their business associate and other agreements with health insurers, third party administrative services providers and other vendors in light of the resolution agreement and experiences arising out of the Anthem breach to better position themselves to assess and enforce HIPAA compliance, receive notice and respond in the event of an insurer or other vendor breach and mitigate financial costs and liabilities resulting from breaches or other compliance deficiencies.

    Anthem’s Record Setting HIPAA Breach & Resolution Agreement

    The settlement agreement announced October 15, 2018 by OCR requires Anthem, Inc. to pay a $16 million resolution payment to OCR and take a series of corrective actions to resolve HIPAA liabilities to OCR for allowing the largest known U.S. health data breach in history in 2015.  The record $16 million resolution payment eclipses the prior record resolution payment of $5.55 million Memorial Healthcare System (MHS) paid OCR to settle HIPAA charges in 2016. Moreover, the $16 million resolution payment it’s just a small portion of the amount that Anthem has been required to shell out as a consequence of the breach. In addition to the $16 million paid under the OCR resolution agreement, anthem already has paid more than $115 million to settle lawsuits arising out of the breach under other laws.

    An independent licensee of the Blue Cross and Blue Shield Association and one of the nation’s largest health benefits companies, Anthem provides medical care coverage to one in eight Americans through its affiliated health plans.  The breach that resulted in the settlement agreement affected ePHI Anthem maintained for its affiliated health plans including many employer or union sponsored self-insured and insured group health plans and other HIPAA-covered entity health plans.

    On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights  that disclosed that Anthem discovered on January 29, 2015 that cyber-attackers had gained access to and engaged in continuous and targeted cyberattack on Anthem’s IT system for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing its breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

    In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

    In addition to the consequences for the millions of individuals whose ePHI was disclosed through the breach, the breach also triggered responsibilities and concerns for fiduciaries and sponsors of the employer and union-sponsored group health plans administered or insured by Anthem.  Sponsors and fiduciaries of private sector employer or union sponsored plans struggled to obtain information and cooperation from Anthem necessary to evaluate and fulfill their health plans’ HIPAA obligations as well as the fiduciary responsibility requirements of the Employee Retirement Income Security Act (ERISA).

    In addition to the $16 million settlement that Anthem is paying to resolve OCR’s HIPAA charges stemming from the breach, the OCR settlement agreement also requires Anthem to undertake a robust corrective action plan to comply with the HIPAA Rules.

    Health Plans, Sponsors, Fiduciaries & Vendors Should Act To Manage Compliance & Risks

    Unquestionably, other health insurers, employer, union and association sponsored group health plans, and their vendors and business associates should evaluate the adequacy and defensibility of their own health plan privacy and security practices in light of the Anthem breach and resolution agreement.  In addition, employer, union or association health plan sponsors, administrative service providers and fiduciaries also should consider the advisability of strengthening their business associate agreements with insurers, third party administrators and other health plan service providers to incorporate safeguards, audit, oversight or other provisions and practices to help prudently monitor potential risks and improve their ability to receive timely notice, respond to, and preserve rights of recourse against insurers or other vendors in the event of a breach or other deficiency.

     

    About The Author

    A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C, Cynthia Marcotte Stamer’s more than 30 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

    Board certified in labor and employment law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, Scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) Annual Agency Meeting with the Office of Civil Rights and a former JCEB Council Representative; former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; and past Chair, former Welfare Benefit Committee Co-Chair and current Fiduciary Responsibility Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, former Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on HIPAA and other health care, managed care and insurance, and other employee benefit, human resources, and related antitrust, corporate, privacy and data security, tax and other internal controls, regulatory affairs and public policy concerns.

    Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international health, insurance and financial security, and other businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

    In this respect, Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, regulatory compliance and operational and performance management. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

    Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes.

    As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help health industry, insurance and financial services and other employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compliance and internal controls, risk management, human resources and other workforce performance, discipline, compensation, employee benefits and related programs, products and arrangements.

    In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

    Ms. Stamer also is deeply involved in helping to influence the health care, workforce, insurance and financial services, employee benefit, privacy and data security and other federal, state and local laws, regulations and enforcement actions. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health, insurance and financial services, employee benefits and other business, professional and civic organizations.

    Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

    Ms. Stamer also has a lifelong history of involvement with and service with a diverse range of professional, community and charitable organizations and causes including as founder and Executive Director of the Coalition for Responsible Health Care Policy and its PROJECT COPE: Coalition for Patient Empowerment; technical advisor to the National Physicians’ Council for Health Care Policy; a founding Board Member and President of the Alliance for Healthcare Excellence and its Patient Empowerment and Health Care Heroes Projects; a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; a member of the Dallas United Way Long Range Planning Committee; as well as leadership involvement in the ABA Joint Committee on Employee Benefits Council, the North Texas Healthcare Compliance Professionals Association; the ABA RPTE Employee Benefits & Other Compensation Committee, the ABA Health Law Section, the ABA International Section Life Sciences Committee, and the ABA TIPS Employee Benefit Committee; TEGE Coordinator of the Gulf Coast TEGE Council TE Division; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association; Dallas, Regional and State BACPAC Chair of the Texas Association of Business; SHRM Regional Chair and National Advisory Board Chair; WEB Network of Benefits Professionals National and Dallas Boards; as a contributing author and the Advisory Board member of the BNA EBCD CD, InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications and as chair or planning faculty of a multitude of symposia.. For additional information about Ms. Stamer, see www.cynthiastamer.com, or contact Ms. Stamer via email here or via telephone to (214) 452.8297.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

    ©2018 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.  All other rights reserved.


    Consider Internal Investigation & Defense Costs When Administering Compliance Programs

    December 5, 2017

    The Justice Department’s report Tuesday that the Justice Department spent $3.2 million on Special counsel Robert Mueller’s Russia probe its first four-and-a-half months highlights the importance for leaders accountable for their organizations’s Federal Sentencing Guideline, sexual harassment and other corporate compliance programs to appropriately plan and budget for potential investigation and defense costs as part of their compliance and risk management planning.

    Conducting an internal investigation or defending a government or other allegation of wrongdoing often proves surprisingly expensive. While how much an internal investigation costs can vary widely depending on the issue, its potential civil and criminal liability and public relations implications on the organization and its management, it’s timing, the adequacy of the pre-event compliance management and record keeping relating to the issue, and a host of other concerns, investigation and defense costs often become largely irrelevant when an organization is required to investigate or defend against charges of legal or other business misconduct that expose the organization or its leadership to potentially devastating legal or business consequences. When these events happen, organizations and their leaders often see little option to spend whatever is necessary to defend their organization and its reputation.

    Compared to the reported internal investigation and defense expenditures of private sector organizations that have faced these these make or break investigations, the Justice Department’s reported expenditures to date on the Russian probe look small.

    For instance, Twenty-First Century Fox in March, 2017 Securities and Exchange Commission (SEC) filings disclosed spending $45 million tied to litigation related to harassment allegations in the 9 first three quarters of 2017 and $10 million “related to settlements of pending and potential litigations” during its fiscal third quarter as well as having received investigative inquiries and stockholder demands to inspect the books and records of the company which could lead to future litigation in the aftermath of sexual harassment allegations at Fox News.

    In contrast, Avon Products spent nearly $500 million conducting its internal investigation before paying a $135m fine to the US government to settle charges it violated the Foreign Corrupt Practices Act by giving Chinese authorities $8 million in gifts and cash while it sought to obtain the first “direct sell” license in China.

    These and other publicly disclosed expenditures make clear that corporate officers and directors need to reassess their investment in compliance both to strengthen the effectiveness of their efforts and to plan to deal with the financial, legal, operational and other costs of investigating and defending potential charges.

    Aboaut The Author

    Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for management work, coaching, teachings, and publications.

    Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

    Well-known for her extensive work with health, insurance, financial services, technology, energy, manufacturing, retail, hospitality, governmental and other highly regulated employers, her nearly 30 years’ of experience encompasses domestic and international businesses of all types and sizes.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a management consultant,  business coach and consultant and policy strategist as well through her leadership participation in professional and civic organizations such her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.

    Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.

    Want to know more? See here for details about the author of this update, attorney Cynthia Marcotte Stamer, e-mail her here or telephone Ms. Stamer at (469) 767-8872.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com such as the following:

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions  Law Press, Inc.™   For information about republication, please contact the author directly.  All other rights reserved.


    Address Workplace Harassment During October Stop Bullying Month

    October 21, 2017

    This month’s annual October Stop Bullying Month observances are a great time for employers to deter sexual, racial, religious, national Origin, disability discrimination and harassment, retaliation and other illegal or otherwise counterproductive bullying in their workplaces.

    Aside from obvious legal exposures that often attend from many versions of workplaces bullying, unfair or heavy handed tactics of workplace bullies often pervasively disrupt workplace productivity and operations by undermining performance, feedback, initiative, employee retention and a host of other ways.

    Seize the opportunity to boost your organization’s legal and operational exposures non discrimination, anti-harassment, and other workplace bullying policies by leveraging the visibility and resources of this month’s anti-bullying activities.

    Checkout StopBullying.gov for more information and free resources.

    About The Author

    Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for management work, coaching, teachings, and publications.

    Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

    Well-known for her extensive work with health, insurance, financial services, technology, energy, manufacturing, retail, hospitality, governmental and other highly regulated employers, her nearly 30 years’ of experience encompasses domestic and international businesses of all types and sizes.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a management consultant,  business coach and consultant and policy strategist as well through her leadership participation in professional and civic organizations such her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.

    Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.

    Want to know more? See here for details about the author of this update, attorney Cynthia Marcotte Stamer, e-mail her here or telephone Ms. Stamer at (469) 767-8872.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com such as the following:

    RAISE Act Immigration Reforms Touted As “Giving Americans A Raise”

    Health Clinic At Houston Convention Center, Other HHS Help For Hurricane Harvey Victims

    IRS Updates Amounts Used To Calculate 2017 Obamacare Individual Individual Shares Responsibility Tax Penalties

    DB Plan Sponsors Check Out New Bifurcated Distribution Model Amendmentsy

    U.S. News Names 2017-2018 “Best” Hospitals; Patient Usefulness Starts With Metholodogy Understanding

    Use Lessons Of Past Mistakes or Injustice To Build Better Future

    Prepare For Turnover, Other Challenges From Rising Workforce Competition

    Employers, Health Plans Should Brace For Tightened Federal Mental Health Coverage Mandate Disclosure And Enforcement

    Withholding Calculator Tool Helps Workers Figure Withholding

    Better Preparing U.S. Workers To Fill Your Jobs

    SCOTUS Ruling Bars Many State Arbitration Agreement Restrictions

    $2.4M HIPAA Settlement Message Warns Health Plans & Providers Against Sharing Medical Info With Media, Others

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions  Law Press, Inc.™   For information about republication, please contact the author directly.  All other rights reserved.


    Dealing With HR, Benefits & Other Headaches From Equifax and Other Data Breach

    October 6, 2017

    As businesses continue to struggle to comply with the growing plethora of federal and state laws mandating data security, the identity theft and cyber security epidemic keeps growing.

    As human resources and other business leaders work to guard their own data and respond to employee demands for assistance in responding to breaches of their personal financial and other data, this weeks’ announcement that embattled credit monitoring giant Equifax has been awarded the exclusive contract to provide taxpayer identification and fraud prevention services to the Internal Revenue Service has many questioning whether these investments are futile.

    The IRS’ announcement comes despite the September 7, 2017 announcement by Equifax of a data breach of its records impacting sensitive personal information of millions of consumers including:

    • The names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of an estimated 143 million U.S. consumers;
    • Credit card numbers for approximately 209,000 U.S. consumers,
    • Certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers,and
    • Personal information for certain U.K. and Canadian consumers.

    The huge breach already was creating many headaches for many businesses and their human resources departments before the IRS announced the award of the contract to Equifax. Due to the massive size of the breach, mist companies have been required to respond to concerns of workers impacted directly by the breach as well as requests of employees and identity theft protection companies that the business consider offering cybersecurity protection for employees or customers.

    Beyond helping their workforce understand and cope with the news, many businesses and employee benefit plans also face the added headache of needing to investigate and respond to concerns about their own potential responsibilities to provide breach notification or take other actions. This added headache arises due to their or their plans’ use of Equifax or vendors utilizing Equifax to run employee or vendor background checks or carry out internal employee or employee benefit plan, customer or other business activities. These involvements often give rise to duties to conduct investigations and potentially provide notification or other responses to employees, applicants, benefit plan members, contractors or customers whose data may have been impacted under the Fair and Accurate Credit Transactions Act (FACTA), the Health Insurance Portability and Accountability Act (HIPAA), the Employee Retirement Income Security Act (ERISA) Fiduciary Responsibility rules or various other federal and state laws and regulations, vendor contracts or their own data privacy or security policies.

    When notification is recommended or required, human resources and other business leaders also have to consider if modifications should be considered to standard protocols recommended to data breach victims. Notification and registration as an identity theft victim with Equifax long has been a standard part of the federal and state government recommended protocol for recommended to consumers impacted by identity theft or other data breaches. See,e.g., IRS Taxpayer Guide To Identity Theft. Although government agencies as of yet have not changed this recommendation to remove Equifax reporting, many consumers and others view reporting to Equifax as akin to the fox watching the hen house. Consequently, employers and other parties helping consumers respond to the breach often receive push back or questions from consumers about the appropriateness and security reporting to Equifax in light of its breach.

    Beyond evaluating and handling their own legal responsibilities to investigate and deal with any breach impacting their data, employers and other business leaders also likely are or should consider what claims against Equifax, other vendors and business partners involved with Equifax and their own liability insurers are available and warranted to help cover the costs and potential liabilities for the business arising from the breach and it’s fall out.

    As employers and other businesses work through these issues, They should keep in mind that the fallout is likely to continue for years and be further complicated by past and subsequent breaches impacting other governmental and private organizations. Human resources, employee benefits and other businesses and their leaders can expect to experience challenges dealing with fraudulent uses of misappropriated information as well as demands that they tighten up their background check, data security and usage and other practices and documentation to mitigate risks from the compromised data.

    Human resources, employee benefits and other business leaders need to secure the assistance of counsel experienced in guiding their organizations through these and other challenges.

    About The Author

    Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for management work, coaching, teachings, and publications.

    Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

    Well-known for her extensive work with health, insurance, financial services, technology, energy, manufacturing, retail, hospitality, governmental and other highly regulated employers, her nearly 30 years’ of experience encompasses domestic and international businesses of all types and sizes. Author of numerous works on privacy and data security, Ms. Stamer‘s experience includes involvement in cyber security and other data privacy and security matters for more than 20 years.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a management consultant,  business coach and consultant and policy strategist as well through her leadership participation in professional and civic organizations such her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.

    Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.

    Want to know more? See here for details about the author of this update, attorney Cynthia Marcotte Stamer, e-mail her here or telephone Ms. Stamer at (469) 767-8872.

    About Solutions Law Press, Inc.™

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com such as the following:

    RAISE Act Immigration Reforms Touted As “Giving Americans A Raise”

    Health Clinic At Houston Convention Center, Other HHS Help For Hurricane Harvey Victims

    IRS Updates Amounts Used To Calculate 2017 Obamacare Individual Individual Shares Responsibility Tax Penalties

    DB Plan Sponsors Check Out New Bifurcated Distribution Model Amendmentsy

    U.S. News Names 2017-2018 “Best” Hospitals; Patient Usefulness Starts With Metholodogy Understanding

    Use Lessons Of Past Mistakes or Injustice To Build Better Future

    Prepare For Turnover, Other Challenges From Rising Workforce Competition

    Employers, Health Plans Should Brace For Tightened Federal Mental Health Coverage Mandate Disclosure And Enforcement

    Withholding Calculator Tool Helps Workers Figure Withholding

    Better Preparing U.S. Workers To Fill Your Jobs

    SCOTUS Ruling Bars Many State Arbitration Agreement Restrictions

    $2.4M HIPAA Settlement Message Warns Health Plans & Providers Against Sharing Medical Info With Media, Others

    If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.

    NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

    ©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions  Law Press, Inc.™   For information about republication, please contact the author directly.  All other rights reserved.


    Learn About Rising Group Health Plan Mental Health Mandate Risks From 6/27 “2017 Federal Group Health Plan Mental Health Rules Update”

    June 22, 2017

    Register Now To Participate In 

    “2017 Federal Group Health Plan Mental Health Rules Update

    Solutions Law Press, Inc™ Health Plan Update WebEx Briefing  

    Tuesday, June 27, 2017

    10:30 A.M.-11:30 P.M. Eastern | 11:30 A.M.-12:30 P.M. Central

    EXPANDING REGULATORY REQUIREMENTS & ENFORCEMENT SPELL TROUBLE FOR HEALTH PLANS AND THEIR SPONSORING EMPLOYERS.

    Solutions Law Press, Inc.™ invites employer and other group health plan sponsors, fiduciaries, insurers, administrative service providers, plan brokers and consultants are invited learn critical information about their expanding risks and responsibilities arising from existing and proposed changes to rules and enforcement of federal group health plan mental health and substance abuse (MH/SUB) coverage and privacy rules under the Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA), as supplemented by the Patient Protection and Affordable Care Act (ACA) and the 21st Century Cures Act (Cures Act) and the Privacy Rules of the Health Insurance Portability & Accountability Act (HIPAA) conducted by attorney Cynthia Marcotte Stamer, a Fellow in the American College of Employee Benefits recognized as among the “Best Lawyers” in employee benefits for her health and other benefit knowledge, experience, policy advocacy and thought leadership.  Register here now!

    Tightening Health Plan Mental Health & Substance Abuse Rules & Enforcement Make Group Health Plan Compliance Critical

    New and proposed guidance jointly published June 16, 2017 by the Departments of Labor (DOL), Health & Human Services (HHS) and Treasury is the latest in a series of regulatory and enforcement developments over the past year alerting  group health plans and their employer and other group health plan sponsors, fiduciaries, insurers, administrative services providers, plan brokers and consultants involved in health plan design, funding, or administration to get serious about their group health plans’ compliance with the MHPAEA federal group health plan mental health and substance abuse coverage and benefit requirements, as supplemented by the ACA and the Cures Act without running afoul of the Privacy Rules of HIPAA.

    Building upon federal group health plan mental health parity mandates originally implemented under the Mental Health Parity Act, the MHPAEA generally requires that any financial requirements or treatment limitations group health plans impose on mental health and substance use disorder (MH/SUD) benefits not be restrictive than the predominant financial requirements and treatment limitations that apply to substantially all medical and surgical benefits. MHPAEA also imposes several disclosure requirements on group health plans and health insurance issuers.  Not satisfied with the MHPAEA coverage and disclosure protections, however, Congress subsequently broadened federal MH/SUD benefit rights under group health plans through the enactment of the ACA and the Cures Act.  Congress also has imposed special requirements and protections for mental health treatment records adds additional responsibilities for group health plans and their service providers when dealing with information and records in connection with the administration of MH/SUD benefits.

    After a long period of lax oversight and enforcement of these federal group health plan mental health rules, the Departments of Labor (DOL), Health and Human Services (HHS), and the Treasury (collectively, the Departments) since October, 2016 have begun both tightening the rules and acting to increase oversight and enforcement.  The Departments have issued a series of joint guidance clarifying and broadening their interpretations of these MH/SUD benefit and disclosure mandates while simultaneously taking steps to increase awareness and enforcement of these rights.  As part of these ongoing efforts, Departments’ on June 16, 2017 expanded this guidance with their publication of new Mental Health Parity Implementation FAQs Part 38 discussing their joint interpretation of the broadening effect of the enactment of the ACA and the Cure Act on these plan requirements.  Concurrently, the Departments signaled their intention to add additional responsibilities for group health plans and insurers by publishing along with FAQ Part 38 a Draft MHPAEA Disclosure Template and request for comments.  This latest guidance package reaffirms that the Departments are continuing efforts to increase oversight of and enforcement of MH/SUD compliance against group health plans, their sponsors, fiduciaries, insurers, and their administrative and other service providers.  In the face of these developments and the reported initiation of enforcement actions by the Departments, the group health plans, their employer and other sponsors, fiduciaries, insurers, and their administrative and other service providers should move quickly to understand and update their plans and practices to comply with these recent developments while bracing for the likely need to deal with further expanded disclosure and other additional responsibilities under the MHPAEA jointly proposed by the Departments on June 16, 2017.

    Beyond fulfilling these expanding MHPAEA responsibilities, health plan fiduciaries, administrators, insurers and sponsors also must ensure their health plan and its business associates comply with  special rules concerning the protection, use and disclosure of mental health treatment records and information that may impact certain mental health treatment and other records received, used, retained or disclosed in the course of administering mental health, substance abuse or other provisions of their group health plans under the HIPAA Privacy Rules.  Keeping in mind that HHS audit and enforcement of compliance by health plans and other HIPAA covered entities with HIPAA’s medical privacy and data security rules, health plan sponsors, fiduciaries, insurers and administrative and other service providers also should take the opportunity to verify that their plans and practices comply with special HIPAA rules impacting authorizations and other dealings with certain mental health and substance abuse health information and records and other HIPAA medical privacy and security requirements.

    Given these developments, group health plans, their sponsors, fiduciaries, insurers and administrator must take steps to verify and maintain compliance with these federal MH/SUD requirements.  Ensuring proper compliance with these federal rules is particularly important to avoid triggering the substantial liability that health plans, their employer and other sponsors, insurers, and administrators can incur if their health plan violates these mandates.  Obviously, plans and their sponsors, insurers and fiduciaries can expect to pay additional plan expenses necessary to pay wrongfully denied benefits and other expenditures these plan or its fiduciaries expend to investigate, defend and resolve claims or compliance audits, investigations, litigation or actions brought by the Departments, state insurance regulators with respect to state governments or insurers, or private litigation by participants or beneficiaries.  Many employer or other plan sponsors may be unaware that these violations also generally expose employers and other health plan sponsors to liability to self identify, self-report on Internal Revenue Service Form 8928 and self-pay and excise tax of up to $100 per participant per day per uncorrected violation by the due date for filing of their annual corporate tax return.

    With oversight and enforcement already rising and the Departments proposing to expand further both disclosure duties and enforcement, group health plans, their employer and other sponsors, insurers, fiduciaries and administrators clearly need to take prompt action to verify their existing health plan provisions and administrative practices are up-to-date and administered to withstand challenge from the Departments, participants, beneficiaries, health care providers and others. Consequently, employer and other group health plan sponsors, fiduciaries, insurers, administrative services providers, plan brokers and consultants involved in health plan design, funding, or administration should act quickly to verify their plan terms and practices are updated to comply with existing rules and share their input in response to the Departments June 16, 2017 requests for comments.

    ABOUT CYNTHIA MARCOTTE STAMER

    Recognized as “Legal Leader™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” and an  “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble, singled out as among the “Best Lawyers In Dallas” in employee benefits by D Magazine; Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her nearly 30 years’ of work and pragmatic thought leadership, publications and training on health coverage and health care, health plan and employee benefits, workforce and related regulatory and other compliance, performance management, risk management, product and process development, public policy, operations and other concerns.

    Throughout her legal and consulting career, Ms. Stamer has  drawn recognition for combining extensive knowledge and experience with her talents as an insightful innovator and problem solver when advising, representing and defending employer and other plan sponsors, insurers, fiduciaries, insurers, electronic and other technology, plan administrators and other service providers, governments and others about health coverage, benefit program design, funding, documentation, administration, data security and use, contracting, plan, public and regulatory reforms and enforcement, and other risk management and operations matters  as well as for her work and thought leadership on a broad range of other health,  employee benefits, human resources and other workforce, insurance, tax, compliance and other matters.  Her experience encompasses leading and supporting the development and defense of innovative new programs, practices and solutions; advising and representing clients on routine plan establishment, plan documentation and contract drafting and review, administration, change and other compliance and operations crisis prevention and response, compliance and risk management audits and investigations, enforcement actions and other dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, Federal Trade Commission, Justice, state legislatures, attorneys general, insurance, labor, worker’s compensation, and other agencies and regulators,  She also provides strategic and other supports clients in defending litigation as lead strategy counsel, special counsel and as an expert witness.

    A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Past Group Chair, current Defined Contribution Plan Committee Co-Chair, former Welfare Committee Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, former member of the Board of Directors of the Southwest Benefits Association and others.

    Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, the Society of Professional Benefits Administrators, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications.  She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, serves on the faculty and planning committee of many workshops, seminars, and symposia, and on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

    About Solutions Law Press

    Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.SolutionsLawPress.com.

    If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press™ events, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here.  For important information concerning this communication, see here.

    NOTICE:  Any party accessing or using any content obtained from or through Solutions Law Press, Inc.™ acknowledges and agrees that any and all programs, publications, statements and materials presented or published by Solutions Law Press, Inc.™ and any statements or other contents made or contained therein are for general informational and educational purposes only. They are generic in nature and not tailored or intended to be relied upon by any person, business, entity or other party for purposes for determining the legal, financial or other appropriateness, defensibility, suitability, outcome or consequences of any strategy, action, course of action, or any other facts, circumstances, event or conduct.  Users of these resources are responsible at all times for independently evluating the suitability of any content, materials, tools or other materials or information accessed from or through Solutions Law Press, Inc. directly or indirectly.

    Solutions Law Press, Inc.™ and its authors and contributors do not represent or warrant in any form or manner, and expressly disclaim and deny the appropriateness of the use or reliance of any person or entity on any content, tools or resources accessed or obtained from or through Solutions Law Press, Inc.™ for any general or particular use or purpose by any party under any circumstances.

    Likewise, they do not establish an attorney-client relationship or other fiduciary, contractual or other relationship between Solutions Law Press, Inc. and/or any of its authors or contributors and any other party.  They are not, and do not serve as a substitute for legal, accounting, tax or other advice.  They don’t create or otherwise give rise to any duty, obligation, responsibility on behalf of Solutions Law Press, Inc™ or any provider or offeree of content, tools or services to any party.

    Parties accessing or using any of Solutions Law Press, Inc.™  competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The publisher and the author expressly disclaim all liability for this content and any responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

    ©2017 Solutions Law Press. All rights reserved.