tpa |

OSHA Gains Power To Get Visas For Certain Non-Citizen Crime Witnesses

February 15, 2023

Beginning March 30, 2023, the Occupational Health and Safety Administration (OSHA) criminal investigation and enforcement will be beefed up by a new authority to issue certifications to provide U Nonimmigrant Status and T Nonimmigrant Status visas to noncitizens to remain in the U.S. to assist in OSHA investigations without fear of deportation or other retaliation.

“U Visas” and “T Visas” allow non-citizen victims of specific crimes to help law enforcement detect, investigate and prosecute crimes without fear of retaliation based on their immigration status by providing them immigration status that allows them to remain in the U.S. to assist authorities in combatting human trafficking and other crimes.

Secretary of Labor Marty Walsh joined Assistant OSHA Secretary Doug Parker to sign a memorandum granting OSHA authority to issue these certifications on February 13. The memorandum for the first time gives OSHA the ability o issue these visa certifications during its workplace safety investigations when the agency identifies manslaughter, trafficking, extortion, felonious assault, forced labor, obstruction of justice or other qualifying criminal violations.

OSHA hopes this new authority will strengthen its ability to secure cooperation of witnesses with immigration status or other social and cultural inequities that discourage them from sharing information with investigators or reporting workplace safety and health issues.

The new authority could enhance OSHA’s ability to investigate and prosecute criminal occupational health and safety and a wide range of other federal laws where non-citizen employees or other noncitizens are victims or witnesses. This new authority could significantly affect criminal conviction risks for businesses using other noncitizen labor as employees.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer’s work throughout her 35 year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends HIPAA covered entities, business associates and other organizations on HIPAA and other cyber, privacy and data security concerns and has published and spoken extensively on these concerns.

Ms. Stamer also is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health, health plan and managed care industry, workplace safer and occupational health, public health and safety, and other health care operations, risk management, compliance and regulatory and public affairs.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Comments Off on OSHA Gains Power To Get Visas For Certain Non-Citizen Crime Witnesses | Child Labor, Child Safety, citizenship, Corporate Compliance, corporate governance, Discrimination, E-Verify, Employers, Employment, Employment Discrimination, Employment Termination, enforcement, English As A Second Language, Fair Labor Standards Act, FLSA, Government Contractors, government employer, Human Resources, I-9, Immigration, Internal Controls, Internal Investigations, Joint Employer, national origin, Non-Exempt, Nonresident aliens, occupational safety, Prevailing Wage, tpa, Whistleblower, Worker, Worker Classification, Workers' Compensation, Workforce, workplace violence | Permalink
Posted by Cynthia Marcotte Stamer

Travis Nicholson Named New EEOC Dallas District Director

September 2, 2022

Travis Nicholson is taking over as the new Dallas District Director of the Equal Employment Opportunity Commission (“EEOC”). The EEOC announced Nicholson’s appointment to head up the Dallas District on August 30,2022.

As Director of the Dallas District Nicholson will oversee and manage the EEOC’s work in more than 200 counties in north, central, and west Texas, including the district office and its approximately 100 employees. He will also supervise the EEOC’s work with several of the agency’s state and local Fair Employment Practices Agencies that work with the EEOC on employment discrimination in Texas. A former compliance officer with the U.S. Department of Labor Office of Federal Contract Compliance Programs U.S. Army veteran, Nicholson began his career with the EEOC in 2009 as a bilingual investigator in its Detroit Field Office, investigating charges, including systemic and class matters, and conducting outreach to underserved communities and in line with the agency’s Youth at Work initiative. He then served as the Charlotte District Office’s outreach and education coordinator and a program analyst in the Office of Field Programs before becoming Houston’s deputy director in 2017. As the deputy district director in Houston, Nicholson was responsible for day-to-day operations and led process improvements and efficiencies in charge management, systemic investigations, and legal enforcement interaction

More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefits Counsel repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” by LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law and among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely known for 30+ years of advising, representing and defending domestic and international public, closely held and government organizations on workforce, employee benefits, internal controls and governance, and other risk management, compliance and government relations concerns as well as her coaching, scholarship, training and legislative and public affairs advocacy on these and related areas.

Ms. Stamer helps health industry and other organizations and their management manage. Ms. Stamer’s legal and management consulting work throughout her nearly 30+ year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns. She also represents and defends clients in investigations, audits, enforcement actions and other dealings with the the Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and a multitude of federal, state, and locate agencies, state attorneys’ general and other federal and state agencies, public and private credentialing, licensing and accreditation bodies, as well as conducts and counsels clients on private litigation, employment and other services disputes, regulatory and public policy advocacy, training and discipline, enforcement and other strategic and operational concerns.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, expat and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also is deeply involved in helping to influence workforce, health care, pension, social security, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also shares her leadership through her extensive involvement in many professional, community and civic organizations. Currently, she serves as Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR and a representative for its Annual Agency Meeting with the EEOC, Chair of the ABA Intellectual Property Section Law Practice Management Committee, Vice Chair of the ABA International Section Life Sciences Committee, Chair-Elect of the ABA Tort & Insurance Section (TIPS) Medicine and Law Committee, RPTE Section Employee Benefits Committee Welfare Plan Chair, and in various other projects and capacities. She also previously has served as an ABA Joint Committee on Employee Benefits Council Representative, Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, the Society for Human Resources Management Region IV Board Chair and National Consultant’s Board Member; am Editorial Advisory Board Member and author for HR.com, Insurance ThoughtLeaders, BNA CD-Rolm, and Employee Benefits News; the Alliance for Healthcare Excellence Board President, Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, on the North Texas United Way Long Range Planning Committee Member, as a Board Member and Compliance Chair of the National Kidney Foundation of North Texas and many others.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. These include hundreds of highly regarded articles and workshops on health and other benefits, workforce, health care and insurance concerns.

For more information about these requirements, Ms. Stamer or her experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Comments Off on Travis Nicholson Named New EEOC Dallas District Director | ADA, adea, Affirmative Action, Age Discrimination, Civil Rights, compensation, compliance, Corporate Compliance, CROWN Act, Department of Defense, DFAR, Disability, Disability Discrimination, Discrimination, Disease Management, Diversity, Drug & Alcohol, EEOC, EEOC, Employer, Employers, Employment, Employment Agreement, Employment Discrimination, Employment Policies, Employment Termination, enforcement, English As A Second Language, Executive Compensation, Government Contractors, health benefit, Health Benefits, HR, Human Resources, LBGT, LEP, LGBT, Management, Mergers & Acquisitions, Nonresident aliens, OFCCP, OFCCP, Public Accommodation, Race Discrimination, Rehabilitation Act, Retaliation, Risk Management, Sexual Harassment, third party administrators, tpa, Transgender, Union, USERRA, Workforce | Tagged: ADA, adea, civil rights, compliance, Dallas, EEOC, Employer, employment discrimination, employment law, enforcement, government contractor, Leadership, National Origin Discrimination, OFCCP, Race Discrimination, Sex Discrimination, Texas | Permalink
Posted by Cynthia Marcotte Stamer

AHRQ Mental Health Mobile Apps Selection Tips

July 6, 2022

The Agency for Healthcare Research and Quality (AHRQ) issued a brief called “Evaluation of Mental Health Mobile Applications” to help healthcare experts pick out mental health mobile health applications. Along with choosing mental Health applications and other health plan mental health benefit design, plan sponsors, fiduciaries, administrators and insurers also must ensure their overall plan design and all features comply with federal mental health parity mandates.

The report covers three areas: risk and mitigation strategies, functions, and mental health app features.

AHRQ hopes the tips will help providers, patients, and payers in selecting mental health mobile applications and seeking the best fit based on various features.

The report is part of a growing list of resources and enforcement efforts federal and state agencies have initiated over the past year as part of growing concerns about mental health.

Along with educational outreach and tools, the Employee Benefit Security Administration and Department of Health and Human Services also are ratcheting up audits and enforcement of federal mental health parity mandates. Given this heightened scrutiny, employer and other health plan sponsors, fiduciaries, administrators and insurers using mobile applications or other virtual mental health solutions in their health plans should arrange for a compliance review of their health plan compliance with these mandates within the scope of attorney client privilege to mitigate liability risks.

In a recent American Bar Association Joint Committee on Employee Benefits webinar moderated by Cynthia Marcotte Stamer, the EBSA’s Director of Health Plan Compliance and Enforcement Amber Rivers emphasized her agency is prioritizing mental health parity compliance a free recent audits showed widespread noncompliance with the requirement for parity in nonqualitative mental health conditions.

More Information.

For additional information about the requirements or concerns discussed in this article, republication or other related matters, please contact the author, employment lawyer Cynthia Marcotte Stamer via e-mail, via telephone at (214) 452 -8297 or on LinkedIn.

Solutions Law Press, Inc. invites you to receive future updates by registering here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, well-known for her extensive work with health and other employee benefits, health care and life sciences, insurance, financial services, technology, and other highly regulated and performance reliant organizations and their leadership, Ms. Stamer works with these and other businesses and their management, employee benefit plans, insurers, health care and life sciences, governments and other organizations deal with all aspects of health care, human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, Form I-9 and other compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, internal controls, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. her more than 30 years’ of experience encompasses domestic and international businesses of all types and sizes.

Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a practicing attorney, as well as as an industry, policy management consultant, and policy strategist as well through her leadership participation in professional and civic organizations. Examples of her many leadership involvements include service as the Vice President and Executive Director of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; Vice Chair of the ABA International Law Section Life Sciences and Health Committee; Vice Chair of the ABA Tort & Insurance Practice Section Medicine and Law Committee and former Vice Chair of its Employee Benefits Committee and its Worker’s Compensation Commitee; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, current Welfare Committee Co-Chair and past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy and others.

Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on AHRQ Mental Health Mobile Apps Selection Tips | ACA, Association Health Plan, Data Breach, Data Security, Employee Benefits, Employer, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, Government Accountability, government employer, government plan, group health plan, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, health reform, HIPAA, Joint Employer, Protected Health Information, self insured health plan, tpa | Permalink
Posted by Cynthia Marcotte Stamer

Comment To OCR By 6/6 To Help Shape How OCR Implements HITECH Act Recognized Security Practices Standards For Purposes Of Setting Civil Monetary Penalties Under HIPAA Security Rules.

April 29, 2022

June 6, 2022 is the deadline for health plans, their sponsors, fiduciaries, administrative and other business associates and others to provide input to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) that OCR says it seeks to help shape how it defines and implements the “recognized security standards” requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021 for purposes of its administration and enforcement of civil monetary penalty and other provisions of of the Health Insurance Portability and Accountability Act (“”HIPAA”). The regulatory and enforcement decisions that OCR makes could significantly impact the civil monetary penalty liability, compliance, audit and recordkeeping responsibilities that health plans, health care providers, health care clearinghouses and their business associates (“Covered Entities”) face under the HIPAA Security and Breach Notification Rules.

OCR is inviting public input on two issues under the OCR Request for Information on Considerations for Implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act, as Amended (RFI) released April 6, 2022:

The definition and administration of the “recognized security practice” factor the HITECH Act requires OCR to consider when assessing audit results, civil monetary penalty and settlement amounts and other HIPAA Security and Breach Rule enforcement; and
The rules that OCR will follow to determine when and how OCR will share portions of amounts it receives from civil monetary penalties or settlements with individuals harmed by breaches of electronic protected health information,

Recognized Security Practices

Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates1 when determining potential fines, audit results, or other remedies for resolving potential violations of the HIPAA Security Rule pursuant to an investigation, compliance review, or audit.

A primary goal of the requirement, which took effect January 5, 2021, is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”

The RFI solicits comment on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.

Civil Money Penalty (CMP) and Settlement Sharing

Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to that offense.

Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term.

The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.

Comments Due 6/6

Health plan and other Covered Entity input could significantly impact how OCR implements and administers these two important aspects of the HIPAA Security Rule going forward. As these decisions are likely to significantly impact the policies, practices, recordkeeping, breach investigation and other obligations that Covered Entities would need to meet in the event of an audit, breach or other investigation or enforcement, timely, thoughtful input from all Covered Entities and affected stakeholders is important. In addition, its decisions on how to distribute CMPs.

For more information about the RFI or instructions for submitting comments, see here.

Health Plan Security & Breach Exposures Beyond HIPAA

Beyond the significant exposures health plans and their business associates may face under HIPAA, recent Department of Labor Employee Benefit Security Administration (“EBSA”) guidance also signals growing risks for health plans and their fiduciaries under the Employee Retirement Income Security Act of 1974. See e.g., HIPAA & ERISA Fiduciary Rules Drive Imperative To Protect Health Plan Data & Systems From Hacking & Other Cyber Threats.

These are just some of the emerging health plan compliance risks and responsibilities that health plan, their fiduciaries, sponsors, administrators, service providers and insurers need to watch and manage. Amber M. Rivers, Director of the Employee Benefit Security Administration Office of Health Plan Standards and Compliance will discuss these and other risks during the “Department of Labor Health Plan Compliance and Enforcement Update” at a virtual program hosted by the American Bar Association Joint Committee on Employee Benefits from Noon to 1:30 p.m. Central Time on May 5, 2022 to be moderated by Solutions Law Press, Inc. author and publisher, attorney Cynthia Marcotte Stamer will moderate the program.

For additional information about or to register for this program, see here.

More Information.

About the Author

As part of these involvements, Ms. Stamer is scheduled to moderate the discussion of “Department of Labor Health Plan Compliance and Enforcement Update” with Amber M. Rivers, Director of the Employee Benefit Security Administration Office of Health Plan Standards and Compliance that the ABA Joint Committee on Employee Benefits is hosting on May 5, 2022. For additional information about or to register for this program, see here.

About Solutions Law Press, Inc.™

Comments Off on Comment To OCR By 6/6 To Help Shape How OCR Implements HITECH Act Recognized Security Practices Standards For Purposes Of Setting Civil Monetary Penalties Under HIPAA Security Rules. | ACA, Association Health Plan, Data Breach, Data Security, Employee Benefits, Employer, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, Government Accountability, government employer, government plan, group health plan, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, health reform, HIPAA, HIPAA, Joint Employer, Protected Health Information, self insured health plan, tpa | Permalink
Posted by Cynthia Marcotte Stamer

DOJ Sues To Stop UnitedHealth Acquisition Of Change Health To Protect Employer Plan Innovation & Commercial Health Insurance Market Competition

March 3, 2022

The U.S. Department of Justice along with the Minnesota and New York Attorneys General (collectively “Justice Department”) have filed a civil antitrust lawsuit to stop UnitedHealth Group Incorporated (“United”) from acquiring Change Healthcare Inc. (“Change”) on February 24, 2022 in an announced $13 billion transaction that the Justice Department claims will harm self-insured employer health plan innovation and competition in the commercial health insurance market. The suit is the latest in a series of Justice Department suits that seek to prevent continued consolidation of the health industry giants following decades of industry consolidation.

United, headquartered in Minnetonka, Minnesota, is an integrated health care enterprise that includes, among other subsidiaries, UnitedHealthcare, the largest health insurer in the United States; Optum Health, a large network of health care providers located throughout the country; OptumRx, a large pharmacy benefit manager; and OptumInsight, a health care technology business. United’s revenues were $288 billion in 2021.

Change Healthcare Inc. headquartered in Nashville, Tennessee, is a leading independent health care technology company providing health care analytics, software, services and data to health care providers, health insurers and other software and services firms in the health care industry. Today, Change markets itself as a partner to a wide variety of other health care ecosystem organizations including United’s major health insurance competitors as providing vital software and services need for innovation and problem solving. These services include electronic data interchange (EDI) clearinghouse services, which transmit claims and payment information between insurers and providers, and first-pass claims editing solutions, which review claims under the health insurer’s policies and relevant treatment protocols. Change’s revenues were $3.4 billion in 2021.

In the civil antitrust complaint filed in the U.S. District Court for the District of Columbia on February 24, 2022, the Justice Department charges United’s acquisition of this neutral player would allow United to tilt the playing field in its favor, harming current competition and allowing United to control and distort the course of innovation in this industry for the foreseeable future.

Among other things, the Justice Department alleges allowing United to eliminate a significant independent and innovative competitor firm by acquiring Change will undermine competition in the commercial health insurance market, stifle innovation in the employer health insurance markets and suppress competition in the market for a vital technology used by health insurers to process health insurance claims and reduce health care costs by giving United control of a critical data highway through which about half of all Americans’ health insurance claims pass each year.

As alleged in the complaint, the proposed transaction would give United, a massive company that owns the largest health insurer in the United States, access to a vast amount of its rival health insurers’ competitively sensitive information. Post-acquisition, United would be able to use its rivals’ information to gain an unfair advantage and harm competition in health insurance markets. The Justice Department also claims the proposed transaction would eliminate United’s only major rival for first-pass claims editing technology — a critical product used to efficiently process health insurance claims and save health insurers billions of dollars each year — and give United a monopoly share in the market.

A Justice Department press release about the lawsuit quotes Principal Deputy Assistant Attorney General Doha Mekki of the Justice Department’s Antitrust Division as saying, “Unless the deal is blocked, United stands to see and potentially use its health insurance rivals’ competitively sensitive information for its own business purposes and control these competitors’ access to innovations in vital health care technology. The department’s lawsuit makes clear that we will not hesitate to challenge transactions that harm competition by placing so much control of data and innovation in the hands of a single firm.”

The suit is the latest in a series of civil antitrust lawsuits challenging proposed mergers or acquisitions of between health insurance industry giants as anticompetitive in recent years. Stay tuned for more details.

More Information

About the Author

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. These include hundreds of highly regarded articles and workshops on health and other benefits, workforce, health care and insurance concerns.

For more information about these requirements, Ms. Stamer or her experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Comments Off on DOJ Sues To Stop UnitedHealth Acquisition Of Change Health To Protect Employer Plan Innovation & Commercial Health Insurance Market Competition | Antitrust, Association Health Plan, Brokers, compensation transparency, compliance, Corporate Compliance, drug pricing, EBSA, Emploeyrs, Employee Benefits, Employer, Employment, Employment Policies, ERISA, health benefit, Health Benefits, health Care, health care transparency, Health Industry Consolidation, health insurance, health plan, Health Plans, HR, Human Resources, insurers, Internal Controls, Managed Care, Management, Mergers & Acquisitions, pbms, pharmacy, prescription drugs, self insured health plan, Surprise Billing, third party administrators, tpa | Tagged: Health Care, Health Insurance, Health IT, Health Plans | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA & ERISA Fiduciary Rules Drive Imperative To Protect Health Plan Data & Systems From Hacking & Other Cyber Threats

December 20, 2021

Health plans, their employer and other health plan sponsors, fiduciaries and vendors as well as health care providers, healthcare clearinghouses, their vendors that are business associates covered by the Privacy, Security and Breach Notification Rules of the Health Insurance Portability & Accountability Act (“HIPAA”) are urged to act promptly to take well-documented steps to confirm and protect electronic protected health information and systems against the increasingly common hacking and other common cybersecurity threats in light of the rising cyber-hacking and other cybersecurity threats and exposures.

As implemented and enforced by the Department of Health & Human Services Office of Civil Rights (“OCR”), HIPAA generally requires that health plans, health care providers, healthcare clearinghouses and their service providers that qualify as business associates (hereafter “covered entities”) safeguard the privacy and security of individually identifiable protected health information (“protected health information”) in paper, electronic or other form against use, access or disclosure other than as allowed by HIPAA. Along with its general restrictions upon use, access or disclosure of protected health information, HIPAA also requires that covered entities and their business associates take the special precautions to protect electronic protected health information (“ePHI”) against improper access, use, disclosure or loss required by the OCR HIPAA Security Rule. Meanwhile, the OCR HIPAA Breach Notification Rule requires that covered entities notify affected individuals, OCR and in the case of breaches involving records of more than 500 individuals, the media in accordance with the OCR Breach Notification Rule following breach of unsecured protected health information.

OCR has an established policy of investigating all breach reports involving more than 500 individuals and these investigations commonly result in settlements that extract agreements by affected covered entities or business associates to pay huge resolution payments to avoid being assessed significantly larger civil liability penalties authorized by HIPAA. See e.g., Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches (October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020).

A review of the OCR data base of unsecured electronic protected health information breaches reveals that OCR has received a wave of required unsecured electronic health information breach notifications impacting 500 or more individuals arising from hacking of electronic systems or e-mail since January 1, 2021, including notices from Apple Blossom Family Practice VA Healthcare Provider (500 individuals/Network Server Hacking/IT Incident); Network Server; Texas ENT Specialists TX Healthcare Provider (535,489 individuals/ Network ServerHacking/IT Incident0; Eduro Healthcare, LLC UT Healthcare Provider (8059 individuals/Hacking/IT Incident Email); Sacramento County Department of Health Services CA Healthcare Provider (2096 individuals/Hacking/IT Incident Email); Weddell Pediatric Dental Specialists, LLC IN Healthcare Provider (5356 individuals/Hacking/IT Incident Email); Javery Pain Institute MI Healthcare Provider (1387 individuals/Hacking/IT Incident Email); OSR Physical Therapy AZ Healthcare Provider (714 individuals/Hacking/IT Incident Email}; Nippon Life Insurance Company of America NY Health Plan (4109 individuals/Unauthorized Access/Disclosure Email); Bansley and Kiener, LLP IL Business Associate (50119 /Hacking/IT Incident Network Server) Baylor Scott & White Medical Center – Waxahachie TX Healthcare Provider (883 individuals/Unauthorized Access/Disclosure Electronic Medical Record); Bansley and Kiener, LLP IL Business Associate (2297 individuals/Hacking/IT Incident Network Server); Bansley and Kiener, LLP IL Business Associate (2711/Hacking/IT Incident Network Server); Bansley and Kiener, LLP IL Business Associate (15,814/Hacking/IT Incident Network Server); Mertz Manufacturing Inc Health Insurance Plan OK Health Plan (868 individuals/Hacking/IT Incident Network Server); Department of Behavioral Health and Developmental Services VA Healthcare Provider (4037 individuals/Unauthorized Access/Disclosure Other) Great Plains Manufacturing, Inc KS Health Plan (4110 individuals/Hacking/IT Incident Network Server); and Roy Varughese, M.D. TX Healthcare Provider (2916 individuals/Hacking/IT Incident Email). These recent breach notifications represent only the latest in a rising tide of hacking associated data breach notifications that OCR has received in recent years.

While provider breach reports still are the most common, health plan data breaches are becoming increasingly common. Between January 1 and December 20, 2021, for instance, OCR reported having open investigations arising from health plan breaches of unsecured protected health information reported after December 31, 2021 by Mertz by Manufacturing Inc Health Insurance Plan OK Health Plan; Great Plains Manufacturing, Inc KS Health Plan; Region IV Area Agency on Aging MI Health Plan; Kaiser Permanente MD Health Plan; Iowa Total Care, Inc. IA Health Plan; Maritz Holdings Inc. MO Health Plan; State of TN Finance & Administration TN Health Plan; Providence Health Plan OR Health Plan as well as a plethora of previously health plan associated breaches reported prior to 2021.

While health plan breach notifications generally have lagged far behind provider notifications in number, reported health plan breaches generally have resulted the largest civil monetary penalty or resolution payments largely due to the massive number of individuals affected by these breaches. See e.g., Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches (October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual (September 23, 2020). In fact, health plan breaches account for the top three largest resolution agreements to date. The biggest among these resolution agreements is the still record-setting $16 million resolution agreement between health insurance giant, Anthem, Inc. and OCR that Anthem entered into to settle potential HIPAA violations OCR uncovered in its investigation of breaches of the electronic protected health information of 79 million remains OCR’s largest. See Record $16M Anthem HIPAA Settlement Signals Need To Tighten HIPAA Compliance & Risk Management

In January, 2021, OCR announced New York health insurer, Excellus Health Plan, Inc., would pay $5.1 million to settle potential HIPAA violations related to a breach affecting over 9.3 million people. The settlement resulted from OCR’s investigation of a September 9, 2015 breach report that cyber-attackers gained unauthorized access to its information technology systems. Excellus Health Plan reported that the breach began on or before December 23, 2013 and ended on May 11, 2015. The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information. The resolution payment is the second largest collected by OCR to date.

In October, 2020, OCR announced a resolution agreement with Aetna Life Insurance Company and affiliated covered entity (Aetna) where Aetna paid a $1 million resolution payment to settle potential HIPAA violations that arose from Aetna’s filing of hacking related breach reports in 2017 and OCR’s September 2021 announcement of a resolution agreement where Premera Blue Cross (PBC) agreed to pay $6.85 million to OCR (the second largest in OCR history) to settle potential HIPAA violations related to a breach affecting over 10.4 million people. This resolution represents the third largest payment to resolve a HIPAA investigation in OCR history.

The magnitude of these three recordbreaking resolution agreements sends a strong signal that health plans and other covered entities impacted by hacking incidents should expect little sympathy or quarter from OCR. OCR Director Roger Severino drove this point home when he warned in OCR’s announcement of the Aetna resolution agreement, “Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries. …. We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”

Coupled with these warnings, the series of alerts issued by OCR urging health plans and other HIPAA covered entities to guard their electronic systems and electronic protected health information against various hacking, malware and other cybersecurity threats send a clear message to health plans and other HIPAA regulated covered entities and business associates to constantly monitor and reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections or be prepared to face similar sanctions from OCR.

Along side the OCR warnings, employment and union sponsored health plans, their insurers, business associates and fiduciaries also now face additional pressure to take prudent steps to secure their health plans’ protected health information and electronic data systems against improper use, access, destruction or disclosure under April, 2021 Employee Benefit Security Administration (“EBSA”) guidance package that for the first time officially recognizes cybersecurity as included in the fiduciary responsibilities of employee benefit plan fiduciaries under the Employee Retirement Income Security Act (“ERISA”) and addition of cybersecurity to its plan audits. As a result, in addition to complying with HIPAA, ERISA-covered health plan fiduciaries and sponsors also should be prepared to demonstrate that plan fiduciaries have taken the steps prudently necessary to guard health and other employee benefit plan data and systems against cybersecurity threats. In light of this guidance health plan fiduciaries and sponsors generally will want to ensure that at minimum, they can demonstrate that the health plan and health plan vendor cybersecurity safeguard meet or exceed the recommendations included in the following guidance materials published by EBSA as part of this cybersecurity announcement and any other steps that are prudent to guard against cybersecurity threats:

Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

In light of this OCR and EBSA guidance, health plan sponsors, fiduciaries and vendors and other HIPAA covered entities and business associates are urged to take documented steps to audit and strengthen as needed their safeguards against hacking and other cybersecurity threats including:

In the case of any health plan or health plan vendor, taking well documented steps to assess and tighten as necessary their health plan systems and data security to meet or exceed the recommendation outlined in the EBSA cybersecurity guidance or otherwise necessary to prudently guard their plans and plan data and systems against cybersecurity threats.
Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards. Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations and the Employee Benefit Security Administration recently has issued guidance recognizing prudent data security practicces as part of the fiduciary obligations of health plans and their fiduciaries.

Finally, health plans and other covered entities are reminded that appropriate strategic planning and use of attorney-client privilege and other evidentiary tools can critically impact the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making. Because HIPAA, EBSA and other rules typically require prompt investigation and response to known or suspected hacking or other cybersecurity threats, health plans and other covered entities or business associates should seek the assistance of experienced legal counsel to advise and assist in these activities to understand the potential availability and proper use of these and other evidentiary rules as part of the compliance planning process as well as to prepare for appropriate use in the event of a known or suspected incident to avoid unintentional compromise of these protections.

For Additional Information Or Assistance

If you need have questions or need assistance with health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help. Longtime scribe for the American Bar Association Joint Committee on Employee Benefits agency meeting with OCR and author of leading publications on HIPAA and other privacy and data security concerns, Ms. Stamer also regularly assists clients and provides input to Congress, OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications. She also is a highly-sought out speaker on privacy and data security who serves on the planning faculty and speaks for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here. If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters, e-mail Ms. Stamer or call (214) 452-8297.

About Solutions Law Press, Inc.™

Important Information About This Communication

Comments Off on HIPAA & ERISA Fiduciary Rules Drive Imperative To Protect Health Plan Data & Systems From Hacking & Other Cyber Threats | Corporate Compliance, Cybercrime, Cybersecurity, ERISA, fiduciary duty, Fiduciary Responsibility, Health Plans, HIPAA, HIPAA, Privacy, tpa | Permalink
Posted by Cynthia Marcotte Stamer

New Rule Requires Health Plans & Insurers To Report Prescription Drug Data

November 17, 2021

Employer-based health plans, health insurance issuers, and other group health plans should begin preparing to report prescription drug and health coverage costs data for prescription drugs covered by their programs after December 31, 2021 required by an interim final rule with request for comments issued by the Departments of Health and Human Services (HHS), Labor, the Treasury (collectively, the Departments), and the Office of Personnel Management today. Since the new rule requires covered plans and insurers to report data for prescription expenditures in 2020 and 2021 by December 27, 2022 and annually thereafter, covered plans and insurers will want complete the necessary arrangements to collect the data as soon as possible to minimize the cost and burdens of collecting and preparing the reports required at the end of the year.

The new “Prescription Drug and Health Care Spending Interim Final Rule with Request for Comments, is the fourth rule in a series that the Departments are issuing to implement the Title I (the “No Surprises Act”) of Division BB of the Consolidated Appropriations Act (CAA), 2021.

The rule requires health plans, health insurance issuers offering group or individual health insurance coverage, and health benefits plans offered to federal employees to submit key data to the Departments, which will work through the HHS Assistant Secretary for Planning and Evaluation (ASPE) to publish a report on prescription drug pricing trends and rebates, as well as their impact on premiums and consumers’ out-of-pocket costs.

The interim final rule also requires plans and health insurers to provide the Departments with an annual overview of their top 50 drugs across key areas of concern annually, including:

General information regarding the plan or coverage;
Enrollment and premium information, including average monthly premiums paid by employees versus employers;
Total health care spending, broken down by type of cost (hospital care; primary care; specialty care; prescription drugs; and other medical costs, including wellness services), including prescription drug spending by enrollees versus employers and issuers;
The 50 most frequently dispensed brand prescription drugs;
The 50 costliest prescription drugs by total annual spending;
The 50 prescription drugs with the greatest increase in plan or coverage expenditures from the previous year;
Prescription drug rebates, fees, and other remuneration paid by drug manufacturers to the plan or issuer in each therapeutic class of drugs, as well as for each of the 25 drugs that yielded the highest amount of rebates; and
The impact of prescription drug rebates, fees, and other remuneration on premiums and out-of-pocket costs.

The rule provides that plan sponsors, issuers, and FEHB carriers generally will be required to submit this information aggregated at the state/market level, rather than separately for each plan. To ensure that the Departments and Office of Personnel Management are able to conduct meaningful data analysis and identify prescription drug trends, the rule also provides uniform standards and definitions, including for identifying prescription drugs regardless of the dosage strength, package size, or mode of delivery.

A CMS fact sheet published along with the rule Shares more details about how data will be collected and analyzed and other information on the data submission requirements.

The new data submission requirements will apply starting with data from the 2020 calendar year. However, the Departments are deferring enforcement of the new requirements until December 27, 2022, to give regulated entities time to come into compliance. This means the required information for 2020 and 2021 is due by December 27, 2022, although it may be submitted sooner.

The extended deadline for reporting is the result of an exercise of discretion by the Departments. Technically, the CAA requires plans and issuers to begin submitting the required information to the Departments by December 27, 2021, and to submit this information by June 1 of each year thereafter. However, the Departments are exercising discretion to provide temporary deferral of enforcement with regard to the December 27, 2021 and June 1, 2022 deadlines. Consequently, the Departments say they will not initiate enforcement action against a plan or issuer that submits the required information for 2020 and 2021 by December 27, 2022. OPM also will allow its FEHB carriers to report information for 2020 and 2021 by December 27, 2022.

The Departments anticipate releasing their first report in June 2023 and biennially thereafter.

Along with publishing the rules, the Department invited public comments on its provisions. Comments on this IFC are due at 5 p.m. on January 24, 2022.

The Departments say additional information on prescription drug rebates, fees, and other remunerations paid by drug manufacturers to plans, issuers, and pharmacy benefit managers—including the top 25 drugs generating the highest rebate amounts—will help the Departments understand and report on prescription drug costs, and how they fluctuate over time.

In addition to preparing to meet the requirements in today’s rules, plans and insurers also need to prepare to comply with two earlier interim final rules (published on July 13, 2021and October 7, 2021, respectively) and a notice of proposed rulemaking (published on September 16, 2021).

More Information

About the Author

For more information about these requirements, Ms. Stamer or her experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Comments Off on New Rule Requires Health Plans & Insurers To Report Prescription Drug Data | Association Health Plan, Brokers, compensation transparency, compliance, Corporate Compliance, drug pricing, EBSA, Employee Benefits, Employer, Employment, Employment Policies, ERISA, health benefit, Health Benefits, health Care, health care transparency, health insurance, health plan, Health Plans, HR, Human Resources, insurers, Internal Controls, Managed Care, Management, pbms, pharmacy, prescription drugs, Surprise Billing, third party administrators, tpa | Permalink
Posted by Cynthia Marcotte Stamer

California Medical Privacy Rules Changed 7/1. https://slphealthcareupdate.com/2021/08/03/california-medical-privacy-rules-eased-new-7-1-2021-rules-allow-greater-flexibility-on-disclosures-a-breach-and-give-agency-more-fine-flexibility-https-www-cdph-ca-gov-programs-ols-cdph%20docume/

August 3, 2021

California Medical Privacy Rules Changed 7/1. https://slphealthcareupdate.com/2021/08/03/california-medical-privacy-rules-eased-new-7-1-2021-rules-allow-greater-flexibility-on-disclosures-a-breach-and-give-agency-more-fine-flexibility-https-www-cdph-ca-gov-programs-ols-cdph%20docume/

Comments Off on California Medical Privacy Rules Changed 7/1. https://slphealthcareupdate.com/2021/08/03/california-medical-privacy-rules-eased-new-7-1-2021-rules-allow-greater-flexibility-on-disclosures-a-breach-and-give-agency-more-fine-flexibility-https-www-cdph-ca-gov-programs-ols-cdph%20docume/ | Association Health Plan, compliance, Consumer Protection, Corporate Compliance, Cybercrime, Data Breach, Data Security, Electronic Medical Record, EMR, enforcement, health benefit, Health Benefits, health Care, health plan, Health Plans, HIPAA, HIPAA, Insurance, Internal Investigations, Managed Care, Privacy, Risk Management, third party administrators, tpa, Trade secret | Permalink
Posted by Cynthia Marcotte Stamer

New IRS Increased Health FSA Carryover, Gives COVID Health FSA Election Relief

June 11, 2020

IRS Notice 2020-33 released indexing the permissible health FSA carryover. As a consequence, the permissible amount immediately increases from $500 to $550.

IRS Notice 2020-29 released to provide temporary flexibility under cafeteria plans for new or changed health coverage and dependent care and health FSA elections, and extensions in certain circumstances of claims periods before use-or-lose must be applied, in response to the changed circumstances many have experienced with respect to availability of childcare and availability of elective health procedures. And a few other HDHP nuggets in there as well.

More Information

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years legal and operational management work, coaching, public policy and regulatory affairs leadership and advocacy, training and public speaking and publications. As a significant part of her work, Ms. Stamer has worked extensively domestically and internationally on an demand, special project and ongoing basis with business, government and community organizations and their leaders, spoken and published extensively on human resources, employee benefits and other workforce and services, tax, health care and health benefits, insurance, workers’ compensation and occupational disease, business disaster and distress and many other management topics, As a key focus of this work, Ms. Stamer has worked with public and private employers of all sizes, employee benefit plans, insurance and financial services, health industry and a broad range of public and private domestic and international business, community and government organizations and leaders on pandemic and other health and safety, workforce and performance preparedness, risks and change management, disaster preparedness and response and other operational and tactical concerns throughout her adult life. A former lead advisor to the Government of Bolivia on its pension project, Ms. Stamer also has worked internationally as an advisor to business, community and government leaders on crisis preparedness and response, workforce, health care and other reform, as well as regularly advises and defends organizations about the design, administration and defense of their organizations workforce, employee benefit and compensation, safety, discipline and other management practices and actions.

Board Certified in Labor and Employment Law By the Texas Board of Legal Specialization, Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, and the ABA RPTE Employee Benefits & Other Compensation Group and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also serves in leadership of a broad range of professional and civic organizations and shares insights and thought leadership through her extensive publications and public speaking. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Comments Off on New IRS Increased Health FSA Carryover, Gives COVID Health FSA Election Relief | 105(h), Cafeteria Plans, compensation, compliance, Corporate Compliance, employee, Employee Benefits, Employer, Employers, Employment, Employment Tax, ERISA, health insurance, health plan, Health Plans, third party administrators, tpa, Workforce | Permalink
Posted by Cynthia Marcotte Stamer

2019 OCR Enforcement Shows Getting Defensibly HIPAA Compliant Necessary In 2020!

January 1, 2020

The $65,000 payment and corrective action plan commitments West Georgia Ambulance, Inc. (“West Georgia”) is making to settle Department of Health & Human Services Office for Civil Rights (“OCR”) charges it recurrently violated the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule and other 2019 HIPAA enforcement sends a clear warning to other HIPAA-covered health plans, health care providers, health care clearighouses and their business associates (“covered entities”) to maintain and be prepared to defend their own HIPAA compliance.

The Western Georgia Resolution Agreement and Corrective Action Plan (“Resolution Agreement”) OCR announced on December 30, 2019 resolves charges resulting from an OCR investigation initiated in response to a HIPAA breach report the Georgia based ambulance company filed in 2013 in which the company, which provides emergency and non-emergency ambulance services in Carroll County, Georgia, disclosed the loss of an unencrypted laptop containing the protected health information (PHI) of 500 individuals. The breach occurred when an unencrypted laptop fell off the back bumper of an ambulance. The laptop was not recovered. West Georgia reported that exactly 500 individuals were affected by the breach.

In the course of its investigation of the breach report, OCR’s investigation uncovered long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. Specifically, the Resolution Agreement states that West Georgia:

Did not conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI. See 45 C.F.R. § 164.308(a)(1)(ii)(A);
Failed to have a HIPAA security training program, and failed to provide security training to its employees. See 45 C.F.R. § 164.308(a)(5);
Failed to implement Security Rule policies or procedures. See 45 C.F.R. § 164.316; and
Despite OCR’s investigation and technical assistance, “did not take meaningful steps to address their systemic failures.”

To resolve its exposure to the substantially higher civil monetary penalties that OCR could impose for violations of this nature, West Georgia agreed to pay a $65,000 resolution payment to OCR and implement and comply with a corrective action plan that in addition to requiring West Georgia to correct the compliance deficiencies, also subjects West Georgia to two years of OCR monitoring and oversight.

The Resolution Agreement and corrective action plan carry a number of important messages for other health care providers and other Covered Entities. First, the OCR enforcement action against West Georgia coming at the end of yet another heavy HIPAA enforcement year by OCR reminds Covered Entities that OCR is serious about HIPAA enforcement on the heels of its 2018 HIPAA record setting collection of $28.7 million in civil monetary penalties and resolution payments including the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc. See OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement. While not topping this record, OCR during 2019 now has collected civil monetary penalties and resolution payments totaling more than $15 million from HIPAA Covered Entities and their business associates including:

Second, the Resolution Agreement and various other smaller settlements during the year show HIPAA compliance and enforcement is a concern for smaller provideres and other covered entities, not juswt the huge ones. While the $65,000 settlement payment required by the Resolution Agreement is substantially smaller than the amounts of the civil monetary penalties and many of resolution payments OCR collected in its other 2019 enforcement actions, the West Georgia and other 2019 enforcement actions demonstrate the teeth behind the warning in the OCR Press Release announcing the West Georgia Resolution Agreement from OCR Director Roger Severino that“All providers, large and small, need to take their HIPAA obligations seriously.” With OCR promises to keep up its vigorous investigation and enforcement of the HIPAA requirements, every Covered Entity and business associate should take the necessary steps to verify and maintain their HIPAA compliance and to be prepared to defend their compliance under the Privacy, Security, Breach Notification and HIPAA access and other individual rights mandates of HIPAA.

Third, OCR’s statement in the Resolution Agreement about the failure by West Georgia to meaningfully act to correct compliance deficiencies and cooperate in other corrective action during the period following the breach report highlights the importance for covered entities involved in a breach or other dealings with OCR on a potential compliance concern to behave appropriately to express and exhibit the necessary concern OCR expects regarding the compliance issue to position themselves to request and receive the clemency OCR is empowered under HIPAA to extend when deciding the sanctions for any noncompliance.

Of course meeting the requirements of HIPAA is not the only concern that covered entities should consider as they review and tightened their HIPAA and other privacy and data security procedures. Health care providers and other covered entities also should keep in mind their other obligations to protect patient and other confidential information under other federal laws, the requirements of which also are ever-evolving. For instance, on January 1, 2020 Texas providers like other Texas businesses will become subject to a shortened deadline for providing notice of data breaches under a new law enacted by the Texas Legislature in its last session. Arrangements should be designed to fulfill all of these requirements as well as any ethical or contractual.

Covered entities also should keep in mind that violations of HIPAA can have implications well beyond HIPAA.ramifications beyond HIPAA itself. For instance, heath care providers can face disqualification from federal program participation, licensing and ethics discipline and other professional consequences. Health plans and their fiduciaries also may face Department of Labor and other fiduciary claims, while insurers can face licensing and other regulatory consequences. The Labor Department followed up on previous warnings that health plan fiduciaries duties include a fiduciary duty to protect health plan data by adding HIPAA compliance to certain health plan audits. Insurers, third of art administrators and others also can face duties and liabilities under state insurance and data privacy laws from regulator or private litigant actions.

For More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Scribe for the ABA JCEB Annual Agency Meeting with the Department of Health & Human Services Office of Civil Rights, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer has extensive legal, operational, and public policy experience advising and representing health care, health care and other entities about HIPAA and other privacy, data security, confidentiality and other matters.

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services, public and private primary, secondary, and other educational institutions, and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has recurrently worked extensively with public school districts and public and private primary and secondary schools, colleges and universities, academic medical, and other educational institutions, insured and self-insured health plans; domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, employers; and federal and state legislative, regulatory, investigatory and enforcement bodies and agencies on health care, education, and other data privacy, security, use, protection and disclosure; disability and other educational rights; workforce, and a host of other risk management and compliance concerns.

Ms. Stamer is most widely recognized for her decades-long leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Author of leading works on HIPAA and a multitude of other health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on 2019 OCR Enforcement Shows Getting Defensibly HIPAA Compliant Necessary In 2020! | Claims Administration, Corporate Compliance, Disease Management, employee, Employee Benefits, Employer, Employers, Employment, EMR, ERISA, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health insurance, Health IT, health plan, Health Plans, HIPAA, Identity Theft, insurance fraud, insurers, Internal Controls, Internal Investigations, Internet, Managed Care, Mental Health Parity, Physician, Plan Admistrator, PPO, prescription drugs, Privacy, Professional Liability, Protected Health Information, Provider, provider contracting, Risk Management, Security, Technology, tpa | Permalink
Posted by Cynthia Marcotte Stamer

DOJ Omnicare/CVS Suit Highlights Potential Pharmacy Benefit Claims Abuse Exposure For Health Plans, Member Safety Risk

December 18, 2019

A civil health care fraud lawsuit filed by the Department of Justice (“DOJ”) in the U.S. District Court for the Southern District of New York today (December 17, 2019) against the nation’s largest long term care pharmacy provider, Omnicare, and its parent, CVS Healthcare Corporation may signal the advisability for insurers, fiduciaries, administrators and sponsors of insured and self-insured health and other benefit plans providing pharmacy benefits to tighten claims and audit past claims payments for prescription drug claims submitted by Omnicare and other CVS pharmacy providers as well as other pharmacy claims to the pharmacy possessed a valid, current prescription to dispense the drug.

Omnicare Complaint Highlights Potential Prescription Drug Fraud By Billing For Filling Expired Prescriptions

In its U.S. ex rel Bassan complaint in intervention (Omnicare and CVS) complaint DOJ joined by 29 states and the District of Colombia filed suit against Omnicare, and its parent company, CVS Healthcare Corporation for damages and civil penalties under the False Claims Act for fraudulently billing federal healthcare programs for hundreds of thousands of non-controlled prescription drugs that DOJ claims Omnicare illegally dispensed to elderly and disabled individuals in assisted living facilities, group homes, independent living communities, and other non-skilled residential long-term care facilities (“LTC facilities”) without a valid, current prescription.. The States of California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Illinois, Indiana, Iowa, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nevada, New Jersey, New Mexico, New York, North Carolina, Oklahoma, Rhode Island, Tennessee, Texas, Vermont, Virginia, Washington, Wisconsin, and the District Of Columbia are joining the DOJ in the complaint as co-plaintiffs.

Omnicare is the country’s largest provider of pharmacy services to LTC facilities. It currently operates approximately 160 pharmacies in 47 states across the United States, which dispense tens of millions of prescription drugs to LTC facilities that serve elderly and disabled individuals. CVS acquired Omnicare in May 2015, and shortly thereafter assumed an active role in overseeing Omnicare’s operations, including pharmacy dispensing practices and systems.

The DOJ complaint in the Federal District Court in Manhattan, New York charges that Omnicare illegally dispensed and billed the federal government and patients for antipsychotics, anticonvulsants, and antidepressants Omnicare dispensed to elderly and disabled residents in LTC facilities without proper prescriptions. According to the DOJ complaint from 2010 until 2018, Omnicare and CVS allowed Omnicare pharmacies to dispense non-controlled prescription drugs to tens of thousands of elderly and disabled individuals living in LTC facilities based on prescriptions that had expired, were out of refills, or were otherwise invalid. Omnicare repeatedly disregarded prescription refill limitations and expiration dates that required doctor visits to reevaluate whether the drug should be renewed. Instead of requesting new prescriptions when old ones expired, Omnicare allowed prescriptions to “roll over.” At Omnicare, “rolling over” a prescription meant that when a prescription expired, Omnicare’s computer systems would assign the old prescription a new number and the pharmacy would continue to dispense the drug indefinitely without the need for a prescription renewal. Depending on the computer system used, DOJ claims Omnicare also sometimes assigned a fake number of authorized refills to a prescription – usually 99 allowable refills for Medicare patients – to allow for continuous refilling. DOJ claims that Omnicare pharmacies “rolled over” prescriptions for elderly and disabled individuals living in more than 3,000 residential long-term care facilities, including assisted living facilities operated by the largest long-term care providers in the country, such as Brookdale Senior Living, Atria Senior Living, Sunrise Senior Living Services, and Five Star Senior Living. DOJ charges that Omnicare used these practices to refill prescriptions for patients after the required prescription for refill expired for months, and sometimes years, after the prescriptions expired. The complaint alleged that Omnicare internally referred to these renumbered expired prescriptions as “rollover” prescriptions.

Many of the prescription drugs dispensed by Omnicare without valid prescriptions treat serious, chronic conditions, such as dementia, depression, and heart disease. They include antipsychotics, anticonvulsants, cardiovascular medications, anti-depressants, and other drugs that can have dangerous side effects and need to be closely monitored by doctors, particularly when taken in combination with other drugs by elderly patients.

DOJ says these Omnicare practices of illegally dispensing drugs to elderly and disabled individuals living in LTC facilities exposed these vulnerable individuals to a significant risk of harm. In contrast to traditional skilled nursing homes, where residents have access to 24-hour medical care supervised by doctors, assisted living and other non-skilled residential facilities offer more limited medical care, or none at all. In particular, these LTC facilities generally do not have doctors on staff to oversee and monitor residents’ drug therapy. By repeatedly dispensing potent drugs without current and valid prescriptions, Omnicare jeopardized the health and safety of tens of thousands of individuals who continued to take the same drugs for months, and sometimes years, without consulting their doctors to determine whether the medications were still clinically appropriate.

A large percentage of the long-term care residents served by Omnicare are beneficiaries of federal healthcare programs. The complaint charges that along with illegally filling the expired prescriptions, Omnicare knowingly transmitted false information to these federal healthcare programs that made it appear that drug dispensations were supported by current, valid prescriptions from physicians when in fact they were not. By dispensing drugs without valid prescriptions, Omnicare presented, or caused to be presented, hundreds of thousands of false claims to Medicare, Medicaid, and TRICARE that were ineligible for payment in violation of the False Claims Act. In fact, the complaint charges that Omnicare managers exerted pressure on overwhelmed pharmacy staff to fill prescriptions quickly so that Omnicare could submit claims and collect payments on these rollover claims.

Moreover, DOJ says that it possesses evidence that senior management at Omnicare and CVS knew of the practices. The DOJ complaint charges among other things that the Omnicare’s Compliance Department succinctly acknowledged the problem in an internal April 2015 email in which one Regional Compliance Officer stated: “An issue that I am running into more and more in multiple states concerns the ability of our systems to allow prescriptions to continue to roll after a year to a new prescription number without any documentation or pharmacist intervention.” A compliance officer then forwarded the email to the head of Omnicare’s Third Party Audit group, who responded that she had a “potential solution (programmed last year) but no one is rolling it out now.”

In today’s announcement of the lawsuit, Manhattan U.S. Attorney Geoffrey S. Berman said: “As alleged, Omnicare put at risk the health of tens of thousands of elderly and disabled individuals living in assisted living and other residential long-term care facilities by dispensing drugs for months, and sometimes years, without obtaining current, valid prescriptions from doctors. A pharmacy’s fundamental obligation is to ensure that drugs are dispensed only under the supervision of treating doctors who monitor patients’ drug therapies. Omnicare blatantly ignored this obligation in favor of pushing drugs out the door as quickly as possible to make more money. This Office will continue to hold accountable those who put at risk people’s health and safety just to turn a profit.”

Meanwhile, HHS-OIG Special Agent in Charge Scott J. Lampert said: “Failing to consult doctors as to whether prescriptions should be refilled places patients’ health and medical care at serious risk. These automatic rollover refills could have significant consequences for vulnerable people in long term-care facilities. We will continue working with law enforcement partners to protect people depending on these taxpayer-funded government health programs.”

Charges Suggest Potential Advisability For Plan Audit of Prescription Drug Charges To Confirm Supported By Valid Prescription For Dispensed Drugs

The charges made in the complaint filed against Omnicare highlight an area of claims payment eligibility not regularly verified by many pharmacy benefit and other health claims administrators when administering pharmacy benefit claims- the existence of a current valid prescription to support the dispensation of the billed prescription medication. Except for pain management and certain other medications flagged by regulators or benefit systems as subject to heightened abuse risks, many plan administrators regularly take for granted existence of a current, valid script for many common, frequently issued and renewed, low cost prescriptions issued within frequency and other guidelines based upon the assumption that legal and ethical obligations of pharmacists and pharmacies under licensing, Drug Enforcement Agency and other rules generally provides adequate deterrence against abuses like those the DOJ accuses Omnicare of engaging in its complaint. However, growing corporate or other nonprofessional ownership or management of pharmacies and their management coupled with very limited, virtually all complaint driven oversight of federal and state regulatory and ethical agencies is diminishing the frequency and effectiveness of such oversight. As evidenced by the Omnicare complaint, scrupulous pharmacies may leverage opportunities allowed by this limited oversight to dispense and bill for commonly renewed prescription medication without proper orders in a manner that potentially places patients at risk at the expense of plans and their participants, beneficiaries, sponsors and insurers. Plans, insurers, fiduciaries, plan sponsors and administrators concerned about these risks may want to use the Omnicare lawsuit announcement as an opportunity to educate plan members and their caregivers about the importance of monitoring prescriptions, their refills and claims for abuse; audit and encourage plan members and their caregivers of members with claims paid with respect to Omnicare and other pharmacy claims’ and take other steps to assess the adequacy and tighten as appropriate their existing pharmacy benefit review procedures for verification of the existence of a current, valid prescription to mitigate these exposures. These exposures are further heightened by the widespread practice of outsourcing of pharmacy claims to prescription benefit management or other speciality pharmacy claims providers in many health plan designs including vendoirsand service providers owned or managed by parents or related companies of the pharmacy filling and billing for the scripts.

Health plan fiduciaries, administrators and sponsors that discover potential deficiencies in the validity of a prescription or other elements of a received or previously paid prescription benefit or other claim are cautioned to review and follow the applicable ERISA and for insured plans, state insurance, Patient Protection and Affordable Care Act (“ACA”) and contractual claims and appeals timelines and processes. Failure to follow these requirements can undermine the enforceability of plan remedies as well as expose the plan, its insurer or fiduciary to administrative penalties and other liabilities. Additionally, violations of the ACA mandated procedures also in the case of employment based plans also could expose the sponsoring employer or ubnion to liability for self reporting, self-assessment and payment of penalties under Internal Revenue Code Section 6039D. Where relevant regulatory or contractual time periods for denial have already expired either because the claim already was paid or the analysis otherwise was not timely completed in time to meet the deadline, plans may need to rely upon filing health care fraud or other avenues of relief in lieu of attempting to retroactively deny and recoup the questioned amounts in order to avoid violating the ACA and other rules. Plan fiduciaries and administrators also may need to consider the applicability of offering review by an independent medical review organization to fulfill ACA or other similar mandatesfor medical judgement based determinations.

More Information

About the Author

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

About Solutions Law Press, Inc.™

Comments Off on DOJ Omnicare/CVS Suit Highlights Potential Pharmacy Benefit Claims Abuse Exposure For Health Plans, Member Safety Risk | Association Health Plan, Claims, Claims Administration, Corporate Compliance, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, Health Care Fraud, health plan, Health Plans, insurance fraud, pbms, pharmacy, Prescription Drugs, tpa | Tagged: Claims, CVS, ERISA, Health Care, Health Care Fraud, Health Plan, Omnicare, pharmacy, pharmacy benefits | Permalink
Posted by Cynthia Marcotte Stamer

OSHA Gains Power To Get Visas For Certain Non-Citizen Crime Witnesses

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Travis Nicholson Named New EEOC Dallas District Director

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

AHRQ Mental Health Mobile Apps Selection Tips

Comment To OCR By 6/6 To Help Shape How OCR Implements HITECH Act Recognized Security Practices Standards For Purposes Of Setting Civil Monetary Penalties Under HIPAA Security Rules.

DOJ Sues To Stop UnitedHealth Acquisition Of Change Health To Protect Employer Plan Innovation & Commercial Health Insurance Market Competition

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

HIPAA & ERISA Fiduciary Rules Drive Imperative To Protect Health Plan Data & Systems From Hacking & Other Cyber Threats

For Additional Information Or Assistance

About Solutions Law Press, Inc.™

Important Information About This Communication

New Rule Requires Health Plans & Insurers To Report Prescription Drug Data

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

California Medical Privacy Rules Changed 7/1. https://slphealthcareupdate.com/2021/08/03/california-medical-privacy-rules-eased-new-7-1-2021-rules-allow-greater-flexibility-on-disclosures-a-breach-and-give-agency-more-fine-flexibility-https-www-cdph-ca-gov-programs-ols-cdph%20docume/

New IRS Increased Health FSA Carryover, Gives COVID Health FSA Election Relief

2019 OCR Enforcement Shows Getting Defensibly HIPAA Compliant Necessary In 2020!

DOJ Omnicare/CVS Suit Highlights Potential Pharmacy Benefit Claims Abuse Exposure For Health Plans, Member Safety Risk

Email Subscription

Pages

Recent Posts

Archives

Share this blog

Blogroll

Solutions Law

Solutions Law Press HR & Benefits Update