Trump Executive Order Calls For PBM ERISA Fee Disclosure Rules and Other Prescription Drug Reforms

April 17, 2025

Creating greater transparency of the compensation of prescription benefit management (“PBM”) arrangements used in group health plans covered by the Employee Retirement Income Security Act of 1974 (“ERISA”) is one of many new policy directives President Trump directs federal agencies to pursue to promote lower cost access to prescription drugs under his Executive Order on Lowering Drug Prices By Once Again Putting Americans First (the “Executive Order”) signed April 15, 2025. Employer and union-sponsored health plans, their sponsors, fiduciaries and service providers should carefully track and provide appropriate input to the Department of Labor and other federal agencies charged with implementing the new ERISA transparency requirement and other policy changes directed in the Executive Order. 

ERISA PMB Transparency Requirements

To improve the transparency of compensation received by PBMs working with ERISA-covered group health plnas, the Executive Order directs the Department of Labor (“DOL”) to propose regulations to make the fee disclosure requirements of ERISA section 408(b)(2)(B) applicable to PBMs by October 12, 2025.

The Executive Order’s directive to the DOL contemplates that DOL will revise its existing regulations under Section 408(b)(2) to prohibit group health plan fiduciaries from allowing PBMs to directly or indirectly receive compensation for their PBM services unless the PBM discloses its compensation from the arrangement in accordace with the fee disclosure requirements that the Executive Order contemplates DOL will add to ERISA section 408(b)(2). 

While DOL regulations have required since 2012 that pension plan service providers to disclose direct or indirect compensation under arrangements with ERISA-covered pension plans in order for the service provider compensation to be allowed “reasonable compensation” under ERISA section 408(b)(2), the fee disclosure requirement currently does not apply to PBMs or other service providers to group health plans or other welfare benefit plan arrangements.

Across the intervening years, concern that the lack of transparency and disclosure allows PBMs to receive excessive compensation and engage in conflicts of interest has led employee benefit industry watchdogs, employer and other plan sponsors, plan members, health care providers and others increasingly to urge the DOL to impose fee disclosure requirements on PBMs and other health and welfare benefit plan service providers. The Executive Order yields to these demands by calling upon the DOL to deem a group health plan’s compensation arrangements with PBMs reasonable only where PBMs disclose direct and indirect compensation, including compensation paid among related parties such as subcontractors, in a manner consistent with current Section 408(b )(2) Regulations.  

Other Prescription Drug Reforms

The Executive Order also includes numerous other reform directives beyond calling for DOL to make PBMs subject to ERISA’s fee disclosure rules.  These included several directives to HHS and certain other agencies that President Trump intends to lower the cost of prescription drugs within and outside the Medicare program.

Medicare & Other Drug Pricing and Coverage Related Prescription Drug Reforms

Many of the policy directives in the Executive Order seek to reform Medicare and other prescription drug cost and coverage.

By April 15, 2026, for instance, the Executive Order directs HHS to develop a better payment model to improve the ability of the Medicare program to obtain better value for high-cost prescription drugs and biological products covered by Medicare, including those not subject to the Medicare Drug Price Negotiation Program.   

In addition, the Executive Order:   

  • Directs HHS to work with the Congress to modify the Medicare Drug Price Negotiation Program to align the treatment of small molecule prescription drugs with that of biological products so as to end the distortion that undermines relative investment in small molecule prescription drugs, coupled with other reforms to prevent any increase in overall costs to Medicare and its beneficiaries;
  • By June 14, 2025,   
    • Requires HHS to propose changes to the Medicare Drug Price Negotiation Program regulations for the initial price applicability year 2028 and manufacturer implementation of maximum fair price under such program in 2026, 2027, and 2028 to improve the transparency of the Medicare Drug Price Negotiation Program, prioritize the selection of prescription drugs with high costs to the Medicare program, and minimize any negative impacts of the maximum fair price on pharmaceutical innovation within the United States; andRequires HHS to require health centers receiving Public Health Service Act Section 330(e) grants to establish practices to make insulin and injectable epinephrine available at or below the discounted price paid by the health center grantee or sub-grantee under the 340B Prescription Drug Program (plus a minimal administration fee) to low income individuals who have a high cost-sharing requirement for either insulin or injectable epinephrine; have a high unmet deductible; or have no healthcare insurance.Requires the Assistant to the President for Domestic Policy (“APDP”) in coordination with the Secretary, the Director of the Office of Management and Budget (“OMB Director”), and the Assistant to the President for Economic Policy (“APECP”), to provide recommendations to the President on how best to stabilize and reduce Medicare Part D premiums;Requires the HHS Secretary to publish a plan to conduct a survey under the Site-of-Service Price Transparency rules of Social Security Act Section 1833(t)(14)(D)(ii) to determine the hospital acquisition cost for covered outpatient drugs at hospital outpatient departments and propose appropriate adjustments to align Medicare payment with the cost of acquisition, consistent with the budget neutrality requirements; and
    • Requires HHS to evaluate and propose regulations to ensure that payment within the Medicare program is not encouraging a shift in drug administration volume away from less costly physician office settings to more expensive hospital outpatient departments.
Other Prescription Drug Reforms

In addition to these predominantly Medicare-focused programs, the Executive Order also orders federal agencies to

  • Requires the Secretary of Labor  to propose regulations pursuant to section 408(b)(2)(B) of the Employee Retirement Income Security Act of 1974 to improve employer health plan fiduciary transparency into the direct and indirect compensation received by pharmacy benefit managers by October 12, 2025;
  • Requires the APDP, in coordination with the HHS Secretary, the OMB Director, and the APECP, to provide recommendations to the President on how best to promote a more competitive, efficient, transparent, and resilient pharmaceutical value chain that delivers lower drug prices for Americans by June 14, 2025;
  • Requires the Food and Drug Administration to streamline and improve the Importation Program under the Federal Food, Drug, and Cosmetic Act to make it easier for States to obtain approval without sacrificing safety or quality;
  • Requires the OMB Director, the APDP, and the Assistant to the President for Economic Policy )”APECP, and HHS Secretary to provide joint recommendations on how best to ensure that manufacturers pay accurate Medicaid drug rebates consistent with section 1927 of the Social Security Act, promote innovation in Medicaid drug payment methodologies, link payments for drugs to the value obtained, and support States in managing drug spending;
  • Requires the HHS Secretary, through the Commissioner of Food and Drugs, to issue a report providing administrative and legislative recommendations to  accelerate approval of generics, biosimilars, combination products, and second-in-class brand name medications; and improve the process through which prescription drugs can be reclassified as over-the-counter medications, including recommendations to optimally identify prescription drugs that can be safely provided to patients over the counter;
  • Requires HHS, the Department of Justice, the Department of Commerce, and the Federal Trade Commission to conduct listening sessions and issue a report with recommendations to reduce anti-competitive behavior from pharmaceutical manufacturers.

Health plans, their sponsoring employers or unions, fiduciaries, PBM and other service providers, brokers, insurers, auditors, and others involved in the design or oversight of PBM and other group health plan arrangements should monitor closely the DOL and other agency responses to the Executive Order to anticipate and prepare for required changes, as well as to be prepared to identify and timely provide input about proposed rules or other actions to DOL or the otherwise applicable regulatory agency before finalized.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, with decades of experience advising employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, PBMs, health and other insurers, third party administrators, managed care organizations, health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally. 

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on Trump Executive Order Calls For PBM ERISA Fee Disclosure Rules and Other Prescription Drug Reforms | Corporate Compliance | Tagged: , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

6th Risk Analysis Settlement & Other OCR Actions Warn Health Plans & Other HIPAA-Regulated Entities To Tighten Risk Analysis

April 14, 2025

The $350,000 paid by Northeast Radiology, P.C. (“NERAD”) provides the latest warning to health plans, health care providers, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) they risk costly fines and other costs for failing to maintain the up-to-date risk assessments required by the Health Insurance Portability & Accountability Act (“HIPAA”).

Following up on the five other previous Risk Analysis Initiative enforcement actions and settlements recently announced by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) and OCR’s publication of proposed rules to significantly tighten HIPAA’s Risk Analysis and other requirements, the settlement with medical imaging center NERAD sends a strong warning to health plans and other Regulated Entities to clean up and strengthen their Risk Analysis and other HIPAA Security Rule compliance.

$350,000 NERAD Risk Analysis Settlement Latest Product Of New Enforcement Initiative

The sixth Risk Analysis Initiative enforcement action announced by OCR in recent months, the NERAD settlement resolves an OCR Risk Analysis Initiative enforcement action arising from OCR’s investigation of a breach of ePHI stored on NERAD’s Picture Archiving and Communication System (“PACS”) server for storing, retrieving, managing, and accessing radiology images.

OCR initiated its investigation of NERAD after receiving a NERAD breach report about a breach of unsecured ePHI in March 2020. NERAD reported that between April 2019 and January 2020, unauthorized individuals accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.

To avoid potentially much greater HIPAA civil monetary penalties under the terms of the resolution agreement, NERAD paid OCR $350,000 and agreed to implement a corrective action plan that OCR will monitor for two years. Under the corrective action plan, NERAD will take steps to improve its compliance with the HIPAA Security Rule and protect the security of ePHI, including:

  • Conducting an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its Risk Analysis;
  • Developing and implementing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
  • Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
  • Augmenting its existing HIPAA and security training program to all of its workforce members who have access to PHI.

OCR Turns Up Heat On HIPAA Risk Analysis Requirements & Enforcement

The HIPAA Privacy, Security, and Breach Notification Rules set forth the requirements that Regulated Entities must follow to protect the privacy and security of protected health information. Since the HIPAA Security Rule first took effect, risk analysis is one of the four required implementation specifications the Security Rule requires to fulfill its Security Management Process Standard’s requirement that regulated entities “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” 

Written Risk Analysis Longstanding Requirement

Although OCR only recently formally adopted a Risk Analysis Initiative, OCR’s regulatory guidance and enforcement actions have communicated clearly the necessity for each Regulated Entity to possess and maintain an adequate documented Risk Analysis.  OCR guidance since has required Regulated Entities to conduct and document the required Risk Analysis to safeguard ePHI and avoid liability under the HIPAA Rule.  The importance of fulfillment of the Risk Analysis requirement is driven home by OCR’s recent identification of Risk Analysis inadequacies as a basis for its assessment of civil monetary penalties or required resolution payments to settle HIPAA Security Rule violations following a breach of ePHI. 

While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.  Although OCR has not adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility.

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities maintain appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to maintain their Risk Analysis documentation for six years, and to make available Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

  • Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
  • Integrate Risk Analysis and risk management into the organization’s business processes.
  • Ensure that audit controls are in place to record and examine information system activity.
  • Implement regular reviews of information system activity.
  • Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
  • Incorporate lessons learned from incidents into the organization’s overall security management process.
  • Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
OCR Heightens Risk Analysis Enforcement While Proposing Heightened Risk Analysis And Other Security Requirements

The proposed rule published by OCR on December 27, 2024 seeks to significantly broaden these original requirements of the Risk Assessment implementation standard.  Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
    • A review of the technology asset inventory and network map;
    • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
    • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
    • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
    • A review of the technology asset inventory and network map.

Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:

  • To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
  • To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
  • To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
  • To implement written procedures for testing and revising written security incident response plans;
  • To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
  • To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
  • To encrypt ePHI at rest and in transit, with limited exceptions;
  • To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
  • Use of multi-factor authentication, with limited exceptions;
  • Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
  • Network segmentation;
  • Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
  • To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
  • Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
  • Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool.  OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time.  This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.

Recommended Actions For Health Plans & Other HIPAA-Regulated Entities

With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:

  • Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
  • Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
  • Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
  • Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
  • Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
  • Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
  • Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
  • Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, nationally known and celebrated for her experience providing advice and representation on HIPAA and other risk management and compliance to employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, health care and other managed care providers and organizations, human resources and health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on 6th Risk Analysis Settlement & Other OCR Actions Warn Health Plans & Other HIPAA-Regulated Entities To Tighten Risk Analysis | Association Health Plan, Attorney-Client Privilege, church plan, Civil Monetary Penalties, compliance, Corporate Compliance, Cybercrime, Cybersecurity, Data Breach, Data Security, Employee Benefits, Employers, ERISA, GINA, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, HIPAA, HIPAA, Identity Theft, Managed Care | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

I-9 & E-Verify Updates Announced

April 9, 2025

Employers should take note of recent changes made by the Citizenship and Immigration Services to the Form I-9, Employment Eligibility Verification and the Department of Homeland Security (“DHS”) Privacy Notice. While the updates don’t require employers to adopt the new I-9 Form until other current forms expire or are revoked, employers should know the changes to ease the administration of their I-9 requirements.

Form I-9

The revised Form I-9 with edition date 01/20/25 and expiration date 05/31/2027 includes minor changes to Form I-9 to align with statutory language.

Key updates include: 

  • Renaming the fourth checkbox in Section 1 to “An alien authorized to work” 
  • Revising the descriptions of two List B documents in the Lists of Acceptable Documents 
  • Adding appropriate statutory language and a revised DHS Privacy Notice to the instructions.

While the revised Form I-9 with an edition date 01/20/25 is now available for download, multiple previous editions remain valid until their respective expiration dates: 

  • Form I-9 (08/01/23 edition) that is valid until 05/31/2027 
  • Form I-9 (08/01/23 edition) that is valid until 07/31/2026 (Employers using this form must update their electronic systems with the 05/31/2027 expiration date by July 31, 2026.) 

E-Verify

Also, starting April 3, 2025, E-Verify and E-Verify+ will have updated the Citizenship Status selection during case creation to reflect this statutory language. The selection “A noncitizen authorized to work” will be updated to “An alien authorized to work.” 

Employers should note: 

  • If an employee attests on Form I-9 as “A noncitizen authorized to work,” the employer must select “An alien authorized to work” in E-Verify. 
  • E-Verify cases will display “An alien authorized to work,” while employees and employers may continue to see “A noncitizen authorized to work” on Form I-9, depending on the form edition being used. 
  • E-Verify+ participants will see the updated 01/20/25 edition date and 05/31/2027 expiration date reflected in Form I-9NG. 

Additionally, E-Verify users creating cases through Web Services applications will see the employee status attestation automatically updated to “An alien authorized to work”—even if the WS application submits “A noncitizen authorized to work” if the employee selected citizenship status number four on Form I-9. 

This change does not affect the current Interface Control Agreement (ICA) version 31.1, which already provides the necessary guidance for Web Services developers. WS developers should update their platforms to transmit “An alien authorized to work” instead of “A noncitizen authorized to work” as soon as possible.

The author of this update, Cynthia Marcotte Stamer is an attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, with decades of experience advising employers and others about I-9 and other workforce, employee benefits, compensation, performance management, reengineering and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally. 

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on I-9 & E-Verify Updates Announced | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Brokerage President & Marketing Company CEO Indicted In $161M ACA Enrollment Fraud Scheme

March 17, 2025

Mansfield, Texas resident Steven Strong and Florida resident Cory Lloyd face up to 20 year prison sentences if convicted on federal criminal health care fraud charges for their alleged participation in a scheme to submit fraudulent enrollments to fully subsidized Patient Protection & Affordable Care Act insurance plans (“ACA plans”).

ACA plans offer eligible enrollees tax credit subsidies paid by the federal government directly to insurance plans in the form of a payment toward the applicable monthly premium.

According to court documents, Lloyd and Strong conspired to enroll consumers in ACA plans that were fully subsidized by the federal government by submitting false and fraudulent applications for individuals whose income did not meet the minimum requirements to be eligible for the subsidies.

President of a health insurance brokerage, Lloyd allegedly received commission and other payments from an insurance company in exchange for enrolling consumers in the ACA plans.

In turn, Lloyd allegedly paid commissions to marketing company chief executive officer Strong in exchange for consumer referrals.

As alleged in the indictment, Lloyd and Strong targeted vulnerable, low-income individuals experiencing homelessness, unemployment, and mental health and substance abuse disorders, and, through “street marketers” working on their behalf, sometimes offered bribes to induce those individuals to enroll in subsidized ACA plans. Marketers working for Strong’s company allegedly coached consumers on how to respond to application questions to maximize the subsidy amount and provided addresses and social security numbers that did not match the consumers purportedly applying.

As a result of being enrolled in subsidized ACA plans for which they did not qualify, some of these consumers experienced disruptions in their medical care.

The indictment alleges that Lloyd and Strong used misleading sales scripts and other deceptive sales techniques to convince consumers to state that they would attempt to earn the minimum income necessary to qualify for a subsidized ACA plan, even when the consumer initially projected having no income.

Lloyd and Strong also allegedly conspired to bypass the federal government’s attempts to verify income and other information.

Lloyd and Strong allegedly engaged in the scheme to maximize the commission payments they received from insurers, resulting in their companies’ receiving millions of dollars in commissions.

As alleged in the indictment, Lloyd and Strong’s scheme caused the federal government to pay at least $161,900,000 in subsidies.

Cory Lloyd and Steven Strong are each charged with conspiracy to commit wire fraud, three counts of wire fraud, conspiracy to defraud the United States, and two counts of money laundering. If convicted, each faces a maximum penalty of 20 years in prison on each count of conspiracy to commit wire fraud and wire fraud, five years in prison for conspiracy to defraud the United States, and 10 years in prison for each count of money laundering.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, with decades of experience advising employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, managed care organizations, health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally. 

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on Brokerage President & Marketing Company CEO Indicted In $161M ACA Enrollment Fraud Scheme | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Construction Company Owner Gets 4 Year Prison Sentence For OSHA, Employment Tax & Worker’s Comp Fraud Involving Undocumented Alien Workers

March 17, 2025

A Florida construction company owner will serve 48 months in prison and forfeit more than $5.5 million as well numerous real properties and cash, and to pay over $55 million in restitution for conspiracy to commit wire fraud, conspiracy to defraud the United States and willful violation of a workplace standard that resulted in the death of an undocumented alien employee and other payroll tax, safety and other fraud.

According to court documents, Manual Domingos Pita owned and operated Domingos 54 Construction, a subcontracting business for the wood framing of new construction homes. Domingos 54 was a shell construction company that Pita used to provide workers, including undocumented aliens, with construction jobs. However, Pita failed to secure the required workers compensation insurance coverage for these employees by falsifying in worker’s compensation insurance applications the number of workers for which he sought coverage. In addition, Pita failed to pay any federal employment taxes on the wages that these workers earned during the course of the scheme between 2018 and 2022. As a result, Pita caused several worker’s compensation insurance companies to sustain a loss of over $22.7 million in premiums that they could have charged had they been aware of the number of workers which they had been manipulated into covering with their policies.

In addition, Pita failed to pay to the IRS over $33.7 million in federal employment taxes on those workers’ wages.

Between February and July 2019, investigators with the Occupational Safety and Health Administration (“OSHA”) issued six citations to Domingos 54 for failure to provide fall protection to workers. Even after being cited for these violations, Pita continued to ignore OSHA requirements. In March 2020, Pita assigned a worker and three other carpenters to install sheeting on the roof of a residential home in windy conditions without providing the required fall-protection gear or ensuring its use. As a result, one of the workers was blown off the roof and died from his injuries.

Pita pleaded guilty to the charges on July 9, 2024. The Federal District court sentenced him on February 20, 2025.

“The defendant in this case engaged in a deliberate scheme to defraud insurance companies, the government and evade taxes, resulting in huge losses to the U.S. Treasury, and to personally enrich himself,” said Acting U.S. Attorney for the Middle District of Florida Sara C. Sweeney. “In addition, flagrant violations of OSHA safety standards put workers at unacceptable risk, ultimately resulting in the death of an employee. My office is committed to federally prosecuting and holding accountable anyone who violates these laws and regulations.”

“Not only does this type of scheme give an illegal advantage over honest competitors, it intends to allow the use of illegal, undocumented labor to achieve that advantage,” said Special Agent in Charge Ron Loecker of IRS Criminal Investigation’s Tampa Field Office. “It’s a blatant form of cheating that undercuts fair competition, costs the government millions of dollars in tax revenue, and skirts our nation’s immigration laws. This case reaffirms our unwavering commitment to prosecuting those who engage in fraud at the expense of workers, taxpayers, and law-abiding businesses.”

The prosecution and conviction reminds construction and other business operators that the Justice Department and federal law enforcement agencies investigate and prosecute payroll tax, safety, worker’s compensation and other crimes by employers even when the impacted workers are undocumented aliens.

For Help With Investigations, Policy Updates Or Other Needs

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other work force or performance-related concerns, please contact management attorney and consultant Cynthia Marcotte Stamer.

An attorney Board-Certified in Labor and Employment Law by the Texas Board of Legal Specialization and American College of Employee Benefits Counsel Fellow, Ms. Stamer’s workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership on helping organizations and leaders about manage their internal and external workforce, employee benefits and compensation, regulatory compliance and governmental affairs and other legal and operational practices and risk have earned her recognition as a Fellow in the American College of Employee Benefits Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” and numerous other honors.

For more than 35 years, Ms. Stamer’s work has advised businesses and business leaders about enhancing the effectiveness and defensibility of their operations using employment and other workforce and services management, employee benefits, compensation, performance management, contracting, Federal Sentencing Guideline and other compliance and risk management, investigations, and other legal and operational tools and solutions.  While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others with compliance with federal and state equal employment, compensation, health and other employee benefits, workplace safety, leave, employment tax, and other labor and employment, privacy and data security, and other laws: advises and assists management to monitor and reengineer workforce, employee benefits, compensation, safety and other policies and practices in response to regulatory, business, economic, and other developments; advises and defends businesses against labor and employment, employee benefit, wage and hour and other compensation, employment tax, fraud, Federal Sentencing Guideline and other regulatory compliance by the Department of Labor agencies, Department of Justice, Securities and Exchange Commission, Federal Trade Commission, Department of Justice, Office of Federal Contracts and Compliance, and other federal agencies; state Departments of Labor and other federal agencies; state workforce and labor, safety, workers’ compensation and other agencies; and employees, contractors, employee benefit plan participants and vendors, and others.

A former lead consultant to the Government of Bolivia on its social security privatization policy with decades of domestic and international government affairs and public policy experience, Ms. Stamer also has extensive experience providing advice to organizations, Congress and state legislators, federal and state regulators, and others about workforce, education, employee benefits, safety, health, insurance and other public policy concerns.

A prolific author and highly sought out thoughtleader, Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters.

For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources like:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication, click here.  If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

NOTICE:  These materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice, a substitute for legal advice, an offer or commitment to provide legal advice or an admission. The information and statements in these materials may not address all relevant issues or apply to any particular situation or circumstances.  The author reserves the right to qualify or retract any of these statements at any time. and does not necessarily address all relevant issues. Because the law evolves, subsequent developments could impact the currency and completeness of this discussion. The author disclaims and has no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers are urged to engage competent legal counsel for consultation and representation at any time, considering the specific facts and circumstances presented in their unique circumstances. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from using this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.  Circular 230 Compliance. The following disclaimer is included to comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2025 Cynthia Marcotte Stamer.  All rights reserved.

Comments Off on Construction Company Owner Gets 4 Year Prison Sentence For OSHA, Employment Tax & Worker’s Comp Fraud Involving Undocumented Alien Workers | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Expect Key Trump Labor Department Policy Rollout To Accellerate As Labor Secretary & Other New Leaders Start Work

March 14, 2025

Employers should prepare for a wave of U.S. Department of Labor (“Labor Department”) guidance and other actions defining and implementing President Trump’s labor and employment policy agenda as new Labor Secretary Chavez-DeRemer and several key politically appointed Labor Department agency leaders took office this week. Employers and contractors impacted by Labor Department rules and enforcement should monitor Labor Department developments for policy or enforcement changes impacting their workforce policies and prepare to respond quickly to new developments.

Secretary of Labor Chavez-Deremer

Chavez-Deremer was sworn in as the new Secretary of Labor on Tuesday, March 11, after the U.S. Senate confirmed her nomination by a vote of 67-32 on March 10. Prior to her nomination by President Trump, Chavez-Deremer served in the House of Representatives for the 5th Congressional District of Oregon, where she served on the House Education and the Workforce Committee. While in Congress, Chavez-DeRemer’s backing for legislation that included provisions easing barriers to union organization earned her a pro-labor reputation won support for her nomination from Democrat Senators Michael Bennet (D-Colo.), Catherine Cortez-Masto (D-Nev.), Ruben Gallego (D-Ariz.), Maggie Hassan (D-N.H.), John Hickenlooper (D-Colo.), Tim Kaine (D-Va.), Mark Kelly (D-Ariz.), Amy Klobuchar (D-Minn.), Jon Ossoff (D-Ga.), Gary Peters (D-Mich.), Jacky Rosen (D-Nev.), Adam Schiff (D-Calif.), Jeanne Shaheen (D-N.H.), Elissa Slotkin (D-Mich.), Mark Warner (D-Va.), Raphael Warnock (D-Ga.), and Sheldon Whitehouse (D-R.I) and opposition from Republican Senators Ted Budd (R-N.C.), Mitch McConnell (R-Ky.), and Rand Paul (R-Ky).

In a memorandum reportedly sent to agency heads within the Department of Labor, Chavez-Deremer reportedly embraced the directives of President Trump’s Department of Government Efficiency (“DOGE”) and instructed department heads to move quickly to review of budgets and identify opportunities for cost savings by eliminating wasteful contract spending, cutting redundancies and cutting low-performing employees. a source told Fox News Digital.

Other Labor Department Agency Heads Starting Work This Week

On March 13, the Department of Labor announced the following political appointees are joining the Department’s leadership team:

Bureau of International Labor Affairs

John Clark will serve as policy advisor to the Bureau of International Labor Affairs. Most recently, he worked on trade, transportation, and China policy matters at a Washington, D.C.-based industry association. Clark is a graduate of the University of Hawaii at Manoa William S. Richardson School of Law and Florida State University. 

Employment and Training Administration

Amy Simon will serve as principal deputy assistant secretary of the Employment and Training Administration. Previously, Simon was founder and owner of the boutique consulting firm, Simon Advisory. From 2019 to 2021, she served as chief of staff and acting deputy assistant secretary for the Employment and Training Administration in the first Trump Administration.

Marek Laco will serve as the agency’s chief of staff. Most recently, Laco led workforce development policy as a staff member for the Committee on Education and the Workforce in the U.S. House of Representatives. He has worked for several members of Congress and spent time at the U.S. Department of Education during the first Trump Administration before serving as deputy chief of staff for Rep. Elise Stefanik. 

Occupational Health and Safety Administration

Amanda Wood Laihow will serve as the deputy assistant secretary for the U.S. Occupational Safety and Health Administration. Most recently, she served as a commissioner to the U.S. Occupational Safety and Health Review Commission during the first Trump Administration. Wood Laihow was the director of labor and employment policy for the National Association of Manufacturers and served as deputy general counsel on the U.S. Senate Homeland Security and Governmental Affairs Committee and as an assistant general counsel at the U.S. General Services Administration. Wood Laihow holds a J.D. from the University of Maine School of Law and her B.A. in Political Science from the University of New Hampshire. 

Michael Asplen will serve as OSHA’s senior policy advisor. He previously served as chief counsel to Commissioner Laihow at the Occupational Safety and Health Review Commission. Before that, he was a counsel at the Consumer Product Safety Commission, managed Littler Mendelson’s Workplace Policy Institute, and was a policy associate at the National Association of Manufacturers. Asplen earned his B.A. in English as St. Mary’s College of Maryland and his J.D. from the Catholic University of America Columbus School of Law. 

Office of Congressional and Intergovernmental Affairs

Joe MacFarlane will serve as senior legislative officer for the department’s Office of Congressional and Intergovernmental Affairs. Most recently, he served as legislative director for Secretary Chavez-DeRemer during her tenure in the U.S. House of Representatives, where he focused on managing the day-to-day legislative operations and team. Before that, he served as legislative assistant for Rep. Rick Crawford focusing on agricultural issues, and as legislative correspondent/staff assistant for the late Rep. Jackie Walorski. A Rochester, New York native, MacFarlane holds bachelor’s degrees in Political Science and International Affairs from the University of Georgia.

Office of Disability Employment Policy

Brian Walsh will serve as a senior policy advisor in the Office of Disability Employment Policy. Before this appointment, he was a labor policy advisor with the Senate Committee on Health, Education, Labor, and Pensions. Walsh served at the White House in the first Trump Administration and the Department of Labor. He holds a B.A. in Political Science from the University of New Orleans and a Master of Public Policy from George Mason University.

Office of Labor-Management Standards

Elisabeth Messenger will serve as director of the department’s Office of Labor-Management Standards. Most recently, she served as executive director of Gevura Fund. She has also held leadership positions at non-profit organizations focused on advancing free market policies and protecting the First Amendment rights of public employees as well as positions with several technology companies. After earning her B.A. in Journalism from the University of South Carolina, her career began in the publicity department of Atlantic Records. 

Office of Public Affairs

Courtney Parella will serve as deputy assistant secretary in the department’s Office of Public Affairs. After driving messaging strategy for members of Congress and the Committee on House Administration, she worked on President Trump’s 2020 re-election campaign and at the National Republican Congressional Committee. Most recently, she served as the director of communications for Congressional Leadership Fund and its sister organization, American Action Network.

Aaron Britt will serve as chief of staff in the Office of Public Affairs. He worked on Capitol Hill for four years before his appointment, most recently serving as communications director for former Rep. Lori Chavez-DeRemer and as press secretary for Sen. Chuck Grassley. Britt’s career began in his home state, where he oversaw media relations and strategy at the Republican Party of Iowa during the 2020 election cycle.

Office of the Secretary

Jihun Han will serve as Department of Labor’s chief of staff. He was Secretary Chavez-DeRemer’s chief of staff during her tenure in the U.S. House of Representatives and ran her successful congressional bid in 2022. Han has extensive experience working in local, state, and national politics, including as campaign manager and chief of staff for numerous members and candidates in the Oregon legislature. He also worked in political affairs for the Oregon Association of Realtors and Evergreen Oregon PAC.

Rebecca Wright will serve as the department’s deputy chief of staff. She served as Secretary Chavez-DeRemer’s district director in Oregon and as deputy campaign manager for Christine Drazan’s gubernatorial campaign. She also worked as a senior staffer for the Oregon House Republican Caucus under House Republican Leader Drazan.

Courtney Walter will serve as senior counselor in the Office of the Secretary. She served at the U.S. Department of Labor in the first Trump Administration in various capacities, including as senior counsel in the Office of the Solicitor. Most recently, Walter practiced law in the private sector, focusing on labor and employment matters. She is a graduate of the Pennsylvania State University and Florida International University College of Law. 

Colton Duncan will serve as the White House liaison for the U.S. Department of Labor. A political strategist and digital media entrepreneur, he has served as president and CEO of Ninja Digital and as senior advisor to Kari Lake. A native of Lubbock, Texas, Duncan is a proud alumnus of Turning Point USA.

Peyton Smith will serve as director of scheduling in the Office of the Secretary. Most recently, she served as the director of operations to Secretary during her time as representative for Oregon’s 5th District in the U.S. House of Representatives for the 118th Congress. She is a graduate of the University of Georgia and holds a degree in Political Science.

Office of the Solicitor

On Feb. 24, 2025, Jonathan Snare was appointed as deputy solicitor of labor. He is rejoining the department after serving as partner in the Washington, D.C. office of Morgan Lewis & Bockius in the labor/employment practice group from 2009 to 2024. During his tenure at Department of Labor between 2003 and 2009, Snare served in several roles, including acting assistant secretary for OSHA and deputy assistant secretary, as well as deputy solicitor and acting solicitor in 2007. Before joining the department, he was in private law practice in Dallas. A native of Indianapolis, Snare graduated from the University of Virginia and obtained a law degree from Washington & Lee University School of Law.

For Help With Investigations, Policy Updates Or Other Needs

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other work force or performance-related concerns, please contact management attorney and consultant Cynthia Marcotte Stamer.

An attorney Board-Certified in Labor and Employment Law by the Texas Board of Legal Specialization and American College of Employee Benefits Counsel Fellow, Ms. Stamer’s workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership on helping organizations and leaders about manage their internal and external workforce, employee benefits and compensation, regulatory compliance and governmental affairs and other legal and operational practices and risk have earned her recognition as a Fellow in the American College of Employee Benefits Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” and numerous other honors.

For more than 35 years, Ms. Stamer’s work has advised businesses and business leaders about enhancing the effectiveness and defensibility of their operations using employment and other workforce and services management, employee benefits, compensation, performance management, contracting, Federal Sentencing Guideline and other compliance and risk management, investigations, and other legal and operational tools and solutions.  While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others with compliance with federal and state equal employment, compensation, health and other employee benefits, workplace safety, leave, employment tax, and other labor and employment, privacy and data security, and other laws: advises and assists management to monitor and reengineer workforce, employee benefits, compensation, safety and other policies and practices in response to regulatory, business, economic, and other developments; advises and defends businesses against labor and employment, employee benefit, wage and hour and other compensation, employment tax, fraud, Federal Sentencing Guideline and other regulatory compliance by the Department of Labor agencies, Department of Justice, Securities and Exchange Commission, Federal Trade Commission, Department of Justice, Office of Federal Contracts and Compliance, and other federal agencies; state Departments of Labor and other federal agencies; state workforce and labor, safety, workers’ compensation and other agencies; and employees, contractors, employee benefit plan participants and vendors, and others.

A former lead consultant to the Government of Bolivia on its social security privatization policy with decades of domestic and international government affairs and public policy experience, Ms. Stamer also has extensive experience providing advice to organizations, Congress and state legislators, federal and state regulators, and others about workforce, education, employee benefits, safety, health, insurance and other public policy concerns.

A prolific author and highly sought out thoughtleader, Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters.

For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources like:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication, click here.  If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

NOTICE:  These materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice, a substitute for legal advice, an offer or commitment to provide legal advice or an admission. The information and statements in these materials may not address all relevant issues or apply to any particular situation or circumstances.  The author reserves the right to qualify or retract any of these statements at any time. and does not necessarily address all relevant issues. Because the law evolves, subsequent developments could impact the currency and completeness of this discussion. The author disclaims and has no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers are urged to engage competent legal counsel for consultation and representation at any time, considering the specific facts and circumstances presented in their unique circumstances. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from using this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.  Circular 230 Compliance. The following disclaimer is included to comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2025 Cynthia Marcotte Stamer.  All rights reserved.

Comments Off on Expect Key Trump Labor Department Policy Rollout To Accellerate As Labor Secretary & Other New Leaders Start Work | Corporate Compliance | Tagged: , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

$200,000 OCR Penalty Shows Health Care Providers & Other HIPAA Entities Risks Of Late Record Access

March 7, 2025

The $200,000 civil monetary penalty [paid by Oregon Health & Science University (“OHSU”) for failing to provide requested medical records shows health care providers, health plans and insurers, and health care clearinghouses (“covered entities”) the perils of violating an individual’s Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) right to timely access. As the 53rd Department of Health and Human Services Office of Civil Rights (“OCR”) announced HIPAA right of action enforcement action, the penalty reaffirms OCR’s continued strong commitment to the enforcement of HIPAA rights of access against covered entities and demonstrates the potential high cost covered entities can face for noncompliance with these requirements.  Like the 52 prior enforcement actions, the OHSU penalty warns health plans and other covered entities to confirm their compliance to avoid incurring similar liabilities.

Thie HIPAA Privacy Rule’s ”Right of Access” provisions require covered entities give requesting individuals or their personal representatives with timely access to requested protected health information.  Generally, this means the covered entity must provide protected health information access within 30 days, with the possibility of one 30-day extension if certain requirements are met.  HIPAA also prohibits covered entities from charging more than a reasonable, cost-based fee for this record access. This requirement is in addition to any otherwise applicable duty to provide timely access to records imposed by otherwise applicable laws such as rules applicable to health plans and health insurers covered by the adverse benefit determination rules of the Patient Protection and Affordable Care Act (“ACA”) or the Employee Retirement Income Security Act of 1974 (“ERISA”) or health insurers or health care providers under applicable state medical privacy and records laws state insurance laws, and health care providers under applicable state medical practice laws The Privacy Rule also contains specific rules for determining the allowable fees, which typically are more restrictive than often concurrently applicable state laws applicable to health care providers or insurers. 

Covered entities also should recognize that covered entities violating the right of access rule face a high likelihood of enforcement by OCR. Patients and other individuals and their personal representatives typically are well informed about their access rights due to HIPAA’s notice of privacy practices and posting requirements. Since right of access violations are one of the most common complaints and OCR frequently finds violations when investigating these complaints,

The $200,000 civil monetary penalty against OHSU along with the undisclosed legal fees and other expenses it incurred in responding to the investigation and enforcement action show the HIPAA liability covered entities can incur for violating the right of assess rule. In September 2024, OCR issued a Notice of Proposed Determination seeking to impose a $200,000 civil monetary penalty. OHSU waived its right to a hearing and did not contest OCR’s imposition of a civil monetary penalty. Accordingly, in December 2024, OCR imposed the $200,000 civil monetary penalty against OHSU in a December 2024 Notice of Final Determination. The OHSU civil monetary penalty arose from OCR’s investigation of a second complaint filed by an individual’s personal representative in January 2021 from the individual’s personal representative.  The complaint was one of two OCR received on this matter. In September 2020, OCR resolved the first complaint received in May 2020 after OCR notified OHSU of its potential noncompliance with the Privacy Rule Right of Access provisions.  Although OHSU provided part of the requested records in April 2019, OHSU did not provide all of the requested records in August 2021.  This was 16 months after the first request for records in April 2019 and nearly a year after OCR previously warned OHSU about its HIPAA obligations in response to the initial complaint. Based on these findings, OCR determined OHSU violated the right of access rule by failing to take timely action in response to the right of access requests.

Along with showing the importance of overall timely compliance with the right of access rule, the OHSU civil monetary penalty also shows covered entities the importance of promptly and completely correcting any violation and their causes that results in a failure by the covered entity (including an employee or business associate responsible for responding to requests) has violated the right of access rule. OCR’s right of access rule investigation and enforcement history against covered entities, including the original complaint against OHSU, demonstrates that OCR seeks settlement with substantially smaller or even no financial payment required if the covered entity promptly and completely fixes the violation in response to OCR’s notice and technical assistance.  

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, nationally known and celebrated for her experience providing advice and representation on HIPAA and other risk management and compliance to employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, health care and other managed care providers and organizations, human resources and health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved

Comments Off on $200,000 OCR Penalty Shows Health Care Providers & Other HIPAA Entities Risks Of Late Record Access | Corporate Compliance | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

$200,000 OCR Penalty Warns Health Plans and Other HIPAA Entities To Timely Provide Records

March 7, 2025

The $200,000 civil monetary penalty [paid by Oregon Health & Science University (“OHSU”) for failing to provide requested medical records shows health plans, health care providers, and health care clearinghouses (“covered entities”) the perils of violating an individual’s Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) right to timely access. As the 53rd Department of Health and Human Services Office of Civil Rights (“OCR”) announced HIPAA right of action enforcement action, the penalty reaffirms OCR’s continued strong commitment to the enforcement of HIPAA rights of access against covered entities and demonstrates the potential high cost covered entities can face for noncompliance with these requirements.  Like the 52 prior enforcement actions, the OHSU penalty warns health plans and other covered entities to confirm their compliance to avoid incurring similar liabilities.

Thie HIPAA Privacy Rule’s ”Right of Access” provisions require covered entities give requesting individuals or their personal representatives with timely access to requested protected health information.  Generally, this means the covered entity must provide protected health information access within 30 days, with the possibility of one 30-day extension if certain requirements are met.  HIPAA also prohibits covered entities from charging more than a reasonable, cost-based fee for this record access. This requirement is in addition to any otherwise applicable duty to provide timely access to records imposed by otherwise applicable laws such as rules applicable to health plans and health insurers covered by the adverse benefit determination rules of the Patient Protection and Affordable Care Act (“ACA”) or the Employee Retirement Income Security Act of 1974 (“ERISA”) or health insurers or health care providers under applicable state medical privacy and records laws state insurance laws, and health care providers under applicable state medical practice laws The Privacy Rule also contains specific rules for determining the allowable fees, which typically are more restrictive than often concurrently applicable state laws applicable to health care providers or insurers. 

Covered entities also should recognize that covered entities violating the right of access rule face a high likelihood of enforcement by OCR. Patients and other individuals and their personal representatives typically are well informed about their access rights due to HIPAA’s notice of privacy practices and posting requirements. Since right of access violations are one of the most common complaints and OCR frequently finds violations when investigating these complaints,

The $200,000 civil monetary penalty against OHSU along with the undisclosed legal fees and other expenses it incurred in responding to the investigation and enforcement action show the HIPAA liability covered entities can incur for violating the right of assess rule. In September 2024, OCR issued a Notice of Proposed Determination seeking to impose a $200,000 civil monetary penalty. OHSU waived its right to a hearing and did not contest OCR’s imposition of a civil monetary penalty. Accordingly, in December 2024, OCR imposed the $200,000 civil monetary penalty against OHSU in a December 2024 Notice of Final Determination. The OHSU civil monetary penalty arose from OCR’s investigation of a second complaint filed by an individual’s personal representative in January 2021 from the individual’s personal representative.  The complaint was one of two OCR received on this matter. In September 2020, OCR resolved the first complaint received in May 2020 after OCR notified OHSU of its potential noncompliance with the Privacy Rule Right of Access provisions.  Although OHSU provided part of the requested records in April 2019, OHSU did not provide all of the requested records in August 2021.  This was 16 months after the first request for records in April 2019 and nearly a year after OCR previously warned OHSU about its HIPAA obligations in response to the initial complaint. Based on these findings, OCR determined OHSU violated the right of access rule by failing to take timely action in response to the right of access requests.

Along with showing the importance of overall timely compliance with the right of access rule, the OHSU civil monetary penalty also shows covered entities the importance of promptly and completely correcting any violation and their causes that results in a failure by the covered entity (including an employee or business associate responsible for responding to requests) has violated the right of access rule. OCR’s right of access rule investigation and enforcement history against covered entities, including the original complaint against OHSU, demonstrates that OCR seeks settlement with substantially smaller or even no financial payment required if the covered entity promptly and completely fixes the violation in response to OCR’s notice and technical assistance.  

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, nationally known and celebrated for her experience providing advice and representation on HIPAA and other risk management and compliance to employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, health care and other managed care providers and organizations, human resources and health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved

Comments Off on $200,000 OCR Penalty Warns Health Plans and Other HIPAA Entities To Timely Provide Records | Corporate Compliance, health Care, Health Plans, HIPAA, HIPAA, insurers | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

IRS Allows All Health Plans To Use Website To Fulfill ACA Annual Minimum Essential Coverage Statement Requirement

March 3, 2025

New Guidance Broadens Availability Of Website Alternative To All Health Plans

All health insurers and health plan administrators can now fulfill their obligation under the Patient Protection and Affordable Care Act (“ACA”) to send annual minimum essential coverage statements (“MEC Statements”) by timely posting a notice of the availability of the statements in lieu of providing the MEC statements by sending Internal Revenue Service (“IRS”) Forms 1095-B and 1095-C” to covered persons under guidance issued in IRS Notice 2025-15 on February 21, 2025.As part of the ACA minimum essential coverage mandates, Internal Revenue Code (“Code”) Section 6055 generally requires each health plan providing minimum essential coverage to any individual during a calendar year to notify the covered person named on an application who enrolls one or more individuals in the minimum essential coverage a statement that identifies each covered individual and the individual’s months of coverage. See Treas. Reg. § 1.6055–1(b)(11). While Section 6055 sets the statutory deadline to provide the MEC Notice as the January 31 immediately following the close of the plan year when the plan provides the coverage, Treasury Regulation § 1.6055-1(g)(4) provides an automatic 30-day extension of time in which to furnish these statements. As a result, covered health plans and health insurers must fulfill the annual MEC Statement requirement within 61 days of the close of the calendar year to which the MEC statement applies.

Internal Revenue Service (“IRS”) regulations generally require health plans to use Forms 1095-B and 1095-C to provide the MEC Statement to responsible individuals unless the health plan qualifies under Treasury Regulation § 1.6055-1(g)(4)(ii)(B) to provide the statement in the “alternative manner” of a qualifying website posting described in that Regulation.

Before February 21, 2025, Treasury Regulation § 1.6055-1(g)(4)(ii)(B) only allowed health plans to use the website posting alternative to fulfill their MEC Statement obligations if the individual shared responsibility payment amount under Code section 5000A(c) for the calendar year in which minimum essential coverage is provided is zero. Under IRS Notice 2025-15, however, all health plans and health insurers are permitted to use the alternative manner of a website posting to fulfill the MEC Statement mandate for all post-2023 plan years including the 2024 calendar notices without regard to the amount of the individual shared responsibility payment.

Health plans and health insurers wishing to use the to use the “alternative manner” of a website posting in lieu of Forms 1095-B and 1095-C to fulfill the MEC Statement requirement for 2024 or a subsequent calendar year must post in a location reasonably accessible to all responsible individuals a clear and conspicuous notice stating that responsible individuals may receive a copy of their statement upon request. Additionally, if an individual requests a statement, the health plan must deliver the requested statement within 30 days of the date the health plan receives the request.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, with decades of experience advising employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, managed care organizations, health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on IRS Allows All Health Plans To Use Website To Fulfill ACA Annual Minimum Essential Coverage Statement Requirement | ACA, Affordable Care Act, Corporate Compliance, employee, Employee Benefits, Employer, Employers, ERISA, Health Benefits, health insurance, health insurance marketplace, health plan, Health Plans, Premium Subsidies, Reporting & Disclosure | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Stamer To Discuss Emerging Health and Disability Litigation Trends To Watch In January 17 Virtual Welfare Benefit Plan Update

January 14, 2025

Solutions Law Press publisher and attorney Cynthia Marcotte Stamer will discuss tobacco cessation class actions, health plan PBM, excessive fee, antitrust and other selected emerging health and disability plan litigation trends to watch in 2025 as part of the Welfare Plan Update at the American Bar Association Real Property, Probate and Trust Section Employee Plans and Executive Compensation Group will host during its free committee call on January 17, 2025, at 11:30 AM Central Time.

Along with Ms. Stamer’s comments, the Update also will include updates on the mental health partiy final rules and implications of the January 1, 2025 expiration of high deductible health plan telemedicine relief by her fellow Welfare Benefit Committee Co-Chair Jacquelyn M. Abbott and Committee Vice Chair Julia Mader.

Members interested in the meeting are invited to use the following Zoom credentials to connect to the meeting:

Join Zoom Meeting Link:  https://americanbar.zoom.us/j/93409339280?pwd=aQcwUtePdkKni1943AJ4UjIaac6F5v.1

Meeting ID: 934 0933 9280, Passcode: 602434

One tap mobile

+13092053325,,93409339280# US

+13126266799,,93409339280# US (Chicago)

About Cynthia Marcotte Stamer

Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Stamer is recognized for her decades of work on leading edge employee benefits, employment, health care and insurance concerns with recognition as a Martindale Hubble “Top Rated Lawyer” and “Legal Leader” in Health Care and Labor and Employment Law; as among the D Magazine “Best Lawyers In Dallas” in Labor & Employment, Tax: ERISA & Employee Benefits,  Health Care and Business and Commercial Law.

Stamer has more than 35 years of experience guiding employers, health and other employee benefit and insurance programs and their fiduciaries, managed care, TPAs, PBMs, health care clearinghouses and their service providers; and other managed care and other health and health plan industry clients on program, product, systems and process design, administration, and defense; government and regulatory investigations and affairs; HIPAA and other data and systems privacy, cybersecurity and other integrity; workforce and other service provider credentialing, contracting, and management; government and private investigations, disputes, audits and enforcement; and other compliance, risk management and operations concerns in a wide range of contexts. Her work, and the interests of her clients are enhanced by her continuous involvement in federal and state legislative advocacy, regulatory affairs and government relations on these and other related concerns throughout her career.

In the course of this work, Stamer frequently advises and represents and defends health and other employee benefit plans, their fiduciaries, third party administrators, brokers, insurers, trustees and other plan service providers, debtor plan sponsors and their leaders, auditors, creditors and creditor committees, bankruptcy trustees, on prevention and mitigation of claims, fiduciary, licensing, prompt pay and other contractual, regulatory and other risks and liabilities arising from underfunded or distressed companies and employee benefit plans.  She also advises employers, their boards, investors and management, third party administrators, preferred provider organizations, insurers and other plan service providers and others in fiduciary, claims and other audits, investigations and enforcement actions by private litigants, the Department of Labor, Department of Health & Human Services, Internal Revenue Service, Department of Justice, Federal Trade Commission, state insurance, attorneys’ general or other regulator, contractual arising out of workforce and staffing, employee benefit and insurance practices and programs in ongoing operations, corporate or credit transactions, bankruptcy or other situations and serves as special or consulting counsel for bankruptcy and other human resources, benefits, insurance, health care and regulatory compliance and investigation concerns. Stamer also counsels, represents and defends third party administrators, preferred provider and other managed care organizations, brokers and other regulated parties in state insurance and other regulators notice and reporting, investigations, audits, discipline and other enforcement actions.

Past Chair of the ABA RPTE Employee Benefit and Other Compensation Group, the Health Law Section Managed Care and Insurance Interest Group, and the Tort Trial and Insurance Section Medicine and Law Committee, Stamer also contributes her experience and knowledge by serving as Scribe for the American Bar Association (“ABA) Joint Committee on Employee Benefits (“JCEB”) annual agency meeting with the Department of Health and Human Services as well as a leader of employee benefits, human resources, health as an industry thought leader, Stamer also publishes and speaks extensively on health and other employee benefits, compensation, workforce, health care and related regulatory compliance and risk management matters.Her insights on these and other matters appear in publications of the American Bar Association, Bloomberg/BNA, Modern Healthcare, Aging In Place, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Stamer, her speaking, legal, consulting and other experience and services, or to access other publications by Stamer see CynthiaStamer.com or contact Stamer directly via e-mail or telephone (214) 452-8287.

For more details about the Real Property Probate and Trust Section Employee Benefits and Other Compensation Committee or other employee benefits related committees and activities of the American Bar Association, see the American Bar Association website here.

To receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here and connect with Stamer on Linkedin. For important information concerning this communication click here.  If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2025 Cynthia Marcotte Stamer, P.C. Non-exclusive limited license to republish granted to Solutions Law Press, Inc.

Comments Off on Stamer To Discuss Emerging Health and Disability Litigation Trends To Watch In January 17 Virtual Welfare Benefit Plan Update | ACA, Claims Administration, Corporate Compliance, Disability, Disability Plans, EBSA, employee, Employee Benefits, Employer, Employers, ERISA, Fiduciary Responsibility, Fringe Benefits, health benefit, Health Benefits, health Care, health insurance, Health Plans, Managed Care | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Immigration Forms Update Impending

January 13, 2025

UICIS has updated the following immigration forms updates:

  • Form I-854, Inter-Agency Alien Witness and Informant Record-Edition Date: 12/12/24. Starting March 13, 2025, UICIS will accept only the 12/12/24 edition. Until then, you can also use the 04/01/24 edition. You can find the edition date at the bottom of the page on the form and instructions.
  • Form I-134, Declaration of Financial Support-Edition Date: 12/12/24. Starting March 13, 2025, UICIS will accept only the 12/12/24 edition. Until then, you can also use the 11/09/23 edition. You can find the edition date at the bottom of the page on the form and instructions.

These updates are part of a series of ongoing form updates. Added changes are foreseeable particularly in light of the impending change of administration and the expected immigration changes from the incoming Trump Administration. Impacted parties should ensure use of the appropriate forms in light of these and other changes.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising employers, health care providers, health plans and insurers, third party administrators, managed care and other health care payers and providers, technology, and other businesses about these and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications including leading-edge work on crisis preparedness, response and recovery.

Author of many highly regarded compliance and risk management tools, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on Immigration Forms Update Impending | Corporate Compliance | Tagged: , , | Permalink
Posted by Cynthia Marcotte Stamer

HHS Grants Limited Southern California Fire Limited Disaster Relief

January 10, 2025

Health plans and insurers, health care providers and other Southern California organizations impacted by the California fires may qualify for temporary waivers or modification of certain Department of Health and Human Services (“HHS”) regulatory requirements under the Declarations of a Public Health Emergency (“PHE”) published by HHS today.

The relief provided by the PHE includes:

An extensive list of resources and guidance to help health plans, health care providers and others to understand and cope with HHS requirements in disaster or other emergency situations such as:

Health plans and other regulated entities impacted by the fire or other disasters should carefully review this guidance to understand the scope and availability of the current relief. Additionally, health plans, health care providers, business associates and other HHS-regulated entities and providers not currently impacted by today’s or another public health emergency declaration should use this guidance to plan and adopt policies and arrangements in advance of a disaster to provide for their continued ability to fulfill HHS regulatory obligations in the event of an emergency.

Health plans and other HHS-regulated entities should keep in mind the limited duration and scope of the relief provided by this PHE or any other HHS public health emergency declaration. Entities planning to rely on the PHE relief must review the scope, conditions and duration requirements and ensure their ability to defend their continued compliance taking into account these limited waivers and modifications.

Also the PHE guidance documents are not a final agency action, do not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department’s discretion. Noncompliance with any voluntary standards (e.g., recommended practices) contained in these documents will not, in itself, result in any enforcement action.

Furthermore, health plans and other HHS regulated entities typically face a myriad of responsibilities beyond those imposed by the HHS. Health plans and other regulated entities should check other agencies disaster declaration webpages to determine whether the agency has issued any specific relief impacting their emergency in response to the broader disaster declaration issued by the Administration. Except to the extent covered by other declared disaster relief, coverage by or compliance with the HHS PHE guidance and policies does not insulate the health plan from potential liability for violating the requirements of the Employee Retirement Income Security Act or other laws creating responsibilities to plan members, providers, the Employee Benefit Security Administration or other agencies or parties other than HHS with respect to the HHS regulatory obligations for which the specific relief is provided in the PHE declaration. Accordingly, health plans, their fiduciaries, plan sponsors and service providers are urged to take necessary steps before, during and after any disaster to position themselves to demonstrate fulfillment of duties of prudence and other applicable responsibilities.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers, health plans and insurers, third party administrators, managed care and other health care payers and providers, technology, and other businesses about crisis preparedness and response and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications including leading-edge work on crisis preparedness, response and recovery.

Author of many highly regarded compliance and risk management tools, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on HHS Grants Limited Southern California Fire Limited Disaster Relief | Corporate Compliance, Employer, Employers, health benefit, Health Benefits, health Care, Health Care Fraud, health insurance, health insurance marketplace, Health Plans, HIPAA, HR, Human Resources | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

2025 Surprise Billing Fees Unchanged But Clear Cache Weekly To Stay Updated

December 27, 2024

2025 surprise billing independent dispute resolution fees applicable to health plans, health insurers and health care providers will remain are holding steady.

On December 27, 2024, the Department of Health and Human Services (“HHS”), the Department of Labor (“DOL”), and the Department of the Treasury (collectively, the “Departments”) updated the No Surprises Act (NSA) website to reflect updated certified IDR entity fees in accordance with the Federal Independent Dispute Resolution (IDR) Process Administrative Fee and Certified IDR Entity Fee Ranges Final Rule (IDR Fees Final Rule).

The IDR Fees Final Rule, effective as of January 22, 2024, set forth the 2024 IDR entity fee ranges. The Departments announced these fees will remain unchanged for 2025.

The 2025 IDR entity fees now published on the NSA website are effective for disputes initiated on or after January 1, 2025. For these disputes, the administrative fee amount is $115 per party per dispute, and the certified IDR entity fee ranges are $200-$840 for single determinations and $268-$1,173 for batched determinations. The website now includes information on the fee set by each certified IDR entity within these ranges.

Along with confirming the 2025 fees, the Departments caution plans and providers to monitor the website for updates to the IDR web form to accommodate guidance-related and system enhancements. The Departments ask plans and providers who have initiated an IDR dispute previously, to clear their computer’s cache or open the IDR initiation web form in a private or incognito window at least once a week to see all the new features. The Departments warn to clear the cache or open this form in private/incognito mode could result in additional follow-up with certified IDR entities or system errors.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health plans and insurers, third party administrators, managed care and other health care payers and providers with surprise billing and other claims, payment and other design, administration, regulatory and other enforcement, dispute resolution, compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with businesses domestically and internationally on employment, benefits, Federal Sentencing Guidelines and other workforce management, regulatory and public policy and other legal and operational concerns.  

Author of many highly regarded compliance, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on 2025 Surprise Billing Fees Unchanged But Clear Cache Weekly To Stay Updated | Claims, Claims Administration, compliance, Consumer Protection, Direct Primary Care, Employee Benefits, Employer, Employers, ERISA, Fiduciary Responsibility, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, health insurance, health insurance marketplace, health plan, Health Plans, Human Resources, Managed Care, Surprise Billing, Tax, Technology | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

Auto Industry Businesses Should Tighten Defenses In Response To New Whistleblower Rules

December 20, 2024

Heads up auto industry employers. Department of Transportation’s National Highway Traffic Safety Administration (“NHTSA”) just finalized released final rules outlining its Auto Safety Whistleblower Program procedures that impact motor vehicle manufacturers, part suppliers, and dealerships (“Auto Businesses”).

The final rules define the whistleblower award process, the filing requirements, and the eligibility criteria for potential whistleblowers.

The final rules define a “whistleblower” to include “any Auto Business employee or contractor who voluntarily provides to the NHTSA original information relating to any motor vehicle defect, noncompliance, or any violation or alleged violation of any notification or reporting requirement of 49 U.S.C. Chapter 301, or a regulation thereunder, which is likely to cause unreasonable risk of death or serious physical injury.”

The adoption and promotion of these whistleblower rules and remedies increase exposures for auto businesses to whistleblower claims. Auto industry businesses should take care to ensure they have adopted, communicated, and administer proper processes for maintaining and defending their compliance with defect, detection and reporting, anti-retaliation and other requirements of the rules.

Auto industry employers also should use care to minimize the risk of whistleblower liability to employees who have made reports of defects or engaged in other activity protected by the final rules as well as other activities protected under federal or state law. These actions include but are not limited establishing a well designed, administered and documented compliance program to prevent violations; notification of employees and contractors of your policy of non-discrimination and non-retaliation against individuals for engaging in actions protected by the final rules; maintaining strong documentation to support employment, promotion, demotion, and other employment decisions; using care when addressing employment termination or other employment related evaluations of workers who filed reports or engaged in other protected activity to promote defensibility against whistleblower and retaliation claims; notify workers of procedures for reporting suspicions of retaliation for engaging in protected activity; and other safeguards to strengthen the defensibility of the businesses, actions in the event of a possible claim.

The author of this update, Cynthia Marcotte Stamer is an attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has worked extensively with auto industry and other businesses business associates on whistleblower and other compliance and risk management. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on workforce and other risk management and compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with businesses domestically and internationally on employment, benefits, Federal Sentencing Guidelines and other workforce management, regulatory and public policy and other legal and operational concerns.  

Author of many highly regarded compliance, training and other resources on workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on Auto Industry Businesses Should Tighten Defenses In Response To New Whistleblower Rules | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

$1.19 Million Penalty Warns Health Plans and Other Covered Entities To Ensure HIPAA Compliance Defensibility Including Service Provider Threats

December 6, 2024

The $1.19 million Health Insurance Portability and Accountability Act (“HIPAA”) penalty imposed on a Florida pain clinic this week sends a clear warning to health plans, health care providers, healthcare clearinghouses and their business associates (“Covered Entities”) to take adequate, documented steps to ensure the defensibility of their own safeguards and other compliance with the HIPAA Security Rule including those from their own current and former workers and service providers.

HIPAA Security Rule

The HIPAA Privacy, Security, and Breach Notification Rules require health plans, health car clearinghouses, and most health care providers, and their business associates (“Covered Entities”) to meet requirements to protect the privacy and security of protected health information (“PHI”). The HIPAA Security Rule included in these rules requires Covered Entities to conduct and maintain documented risk assessments to prove their efforts to comply with detailed national administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (“ePHI”).  

Violation of HIPAA can trigger either civil monetary penalties or criminal penalties under HIPAA. As amended by the the HITECH Act, HIPAA provides for the following civil monetary penalties for HIPAA violations:

  • A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000
  • A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
  • A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
  • Aminimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR adjusts the CMP ranges for each penalty tier for inflation3 for violations after November 2, 2015.

Along with these potentially substantial civil penalty exposures, HIPAA’s potential criminal penalties make HIPAA compliance a required element of the Federal Sentencing Guideline Compliance programs Covered Entities and their leaders need to mitigate their exposures to organizational liability under the Guidelines. 

Additionally HIPAA breaches also may expose Covered Entities and their leaders to potential liability for breach liability under securities, electronic crimes, and other data breach and security laws; Federal Sentencing Guideline and other liability for misappropriation of funds, health care or other fraud and other crimes enabled by inadequate compliance or response; trigger fiduciary and other duties and liabilities under the Employee Retirement Income Security Act of 1974 (“ERISA”) for those acting as named or functional fiduciaries; I create licensing or ethical sanctions; create shareholder, tort or contractual liabilities; trigger public company disclosure and executive compensation clawback responsibilities; and a host of other legal, operational and business partner and public relations headaches.

New $1.19 Million Settlement

The $1.19 million penalty against Pain Clinic for Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (“Gulf Coast Pain Consultants”) announced December 4, 2024 by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) shows how quickly a Covered Entity found in violation of these rules can rack up substantial civil monetary penalties. Although specifically involving a health care provider, health plans are exposed to the same risks.

The Gulf Coast Pain Management civil monetary penalty arose from OCR’s finding of “systematic” HIPAA Security Rule violations while investigating a breach report that a former contractor for the company impermissibly accessed their electronic record system.

OCR initiated the investigation following the receipt of a breach report filed by Gulf Coast Pain Consultants, which reported that a former contractor impermissibly accessed Gulf Coast’s electronic medical record system to retrieve PHI for use in potential fraudulent Medicare claims. 

OCR’s investigation revealed the breach was accomplished by a business consultant independent contractor hired to provide business consulting in 2018, whose contract was terminated prematurely a several months later before the end of the contract term.

After the contract terminated, Gulf Coast did not immediately terminate the former contractor’s system access. 

Months later on February 20, 2019, Gulf Coast discovered that on three occasions, between September 7, 2018, and February 3, 2019, the Contractor impermissibly used its access to Gulf Coast’s electronic medical record (“EMR”) system to access the ePHI of approximately 34,310 individuals. On February 21, 2019, Gulf Coast terminated the independent contractor’s access to its systems.

It was later discovered that the Contractor generated medical claims for services that were not actually rendered, resulting in approximately 6,500 false Medicare claims. The Contractor was indicted under 18 U.S.C. §1347 and §1028(a)(1) and was ultimately found not guilty.

On April 5, 2019, Gulf Coast filed a breach report with OCR concerning this incident. The report described that the compromised PHI included names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.

OCR’s investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.  

Based on the investigation, OCR found four violations by Gulf Coast Pain Consultant of the HIPAA Security Rule, including failures to: 

  • Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;  
  • Implement procedures to regularly review records of activity in information systems;  
  • Implement procedures to terminate former workforce members’ access to ePHI; and  
  • Implement procedures for establishing and modifying workforce members’ access to information systems. 

As often happens, the investigation and other processes leading to the settlement were protracted and expensive.

More than four years after the breach and its report, OCR issued a Notice of Proposed Determination in August 2024 seeking to impose a civil money penalty. After Gulf Coast waived its right to a hearing and did not contest OCR’s findings, OCR issued its Notice of Final Determination imposing the $1,190,000 civil money penalty. 

Take Aways

Aside from demonstrating the significant penalties that Covered Entities can face for failing to satisfy HIPAA, the settlement also highlights the need for health plans, their fiduciaries, service providers and other HiIPAA_regulated entities to manage data security threats from contractors and other current and former service providers with access to ePHI and other Security Rule compliance.

“Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system,” said OCR Director Melanie Fontes Rainer in its announcement of the penalty. “Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.” 

OCR recommends that Covered Entities take a number of steps to mitigate or prevent cyber threats including

  • Integrate risk analysis and risk management into business processes. 
  • Implement regular review of information system activity. 
  • Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends. 
  • Implement procedures for modifying a user’s right of access to a workstation, transaction, program or process, or an alternative equivalent measure.
  • A multitude of other risk assessment and mitigation actions required in response to existing and emerging threats arising from time to time as identified and evaluated pursuant to the ongoing conduct of documented risk assessments required by the Security Rule.

Because the Employee Benefit Security Administration views ensuring proper data security and HIPAA compliance an ERISA fiduciary responsibility and includes cybersecurity in its ERISA compliance audits, health plan fiduciaries also face breach of fiduciary duty and other exposures under ERISA.

The author of this update, Cynthia Marcotte Stamer has worked extensively with health plans and insurers, their sponsors and fiduciaries on covered entities and business associates on HIPAA and other compliance and risk management. If you have questions or need advice or help evaluating or addressing your HIPAA or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Authok

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation.. 

Author of numerous highly regarded works on PBM and other health plan contracting and design,  Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with HIPAA and other legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  

As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Author of many highly regarded compliance, training and other resources on HIPAA and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership on HIPAA and many other health care, health plan and other health industry matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on $1.19 Million Penalty Warns Health Plans and Other Covered Entities To Ensure HIPAA Compliance Defensibility Including Service Provider Threats | Corporate Compliance | Tagged: , , , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Workforce Strategies For Avoiding Holiday Liability Hangovers

November 27, 2024

With this week’s Thanksgiving celebrations kicking off the 2024 year-end holiday festivities, wise businesses will proactively act to reduce the risk that their business will start 2025 with a post-holiday workforce liability hangover. 

Responsibly managed, company-sponsored and other social celebrations and activities can promote team building, morale, goodwill and other rewards.  However, holiday celebrations, staffing disruptions, behaviors and their fallout also can often create attendance, discipline, compliance, safety and other legal and operational responsibilities, risks and costs. Wise business leaders act proactively to mitigate these risks as the nation enters holiday season begins.

Health & Safety

Gatherings, food, game playing, toasting with alcohol, travel and other aspects of company-sponsored and off-duty celebrations can enhance usual or create new accident and illness risks. Holiday socialization, presentism, distractions, staffing disruptions, operational changes and other factors can increase illness and accident risks. Injuries and illnesses suffered on or off the job can create added occupational health and safety and worker’s compensation responsibilities, costs and liabilities, disrupt staffing and productivity, and fuel health care, medical leave, disability, worker’s compensation and other responsibilities and expenses long after the holiday season ends. To help workers enjoy the Holidays safely and avoid these business costs and disruptions, businesses should confirm that their occupational health, safety and injury policies, practices, and staffing fulfill applicable occupational health and safety and workplace accident and injury laws, as well as consider encouraging workers to follow good health and safety practices on and off the job throughout the holiday season. 

Employers generally have a duty of care under the Occupational Safety and Health Act (“OSH Act”) and other occupational health and safety laws to provide a safe work environment.  The OSH Act requires businesses to recognize and take appropriate steps to keep their workplaces safe. The OSH Act, worker’s compensation, leave and other laws. OSH Act and other workplace safety laws generally require employers to promptly report and investigate workplace accidents and injuries, ensure workers receive timely treatment, and trigger occupational injury and other leave and other duties.

Workplace injuries resulting from unsafe workplace conditions generally trigger expensive penalties and damages, in addition to worker’s compensation or other occupational injury coverage liabilities.  The holiday season often exacerbates or adds to the ongoing challenges employers face in maintaining workplace safety and responding to workplace injuries and accidents. Some common sources of additional risks associated with the holiday season include decreased oversight from management holiday absences, heightened worker fatigue and distraction, demand-driven, vacation or illness-related understaffing, expanded use of temporary or contract staffing, and holiday season-associated intoxication.  See Holiday Workplace Safety.  OSHA offers various recommendations to aid employers in recognizing and managing heightened workplace safety risks during the holiday season.  Keeping Workers Safe This Holiday Season.  To mitigate their risks from workplace injuries and accidents caused by safety violations and associated violations of investigation, reporting, benefit and other requirements, business leaders should ensure that their organizations identify and manage these additional risks, as well as ensure appropriate staffing and other arrangements are in place to ensure timely response, investigation and reporting of any workplace accidents or injuries during the holiday season.

With outbreaks of the flu, respiratory illnesses and other communicable or infectious diseases that spread from person to person common during the holidays, and holiday gatherings heightening the potential for transmission of the flu or other contagious diseases, businesses also should consider their responsibilities under the OSH Act or other laws to manage contagious disease exposures and spread.  For instance, health care and certain other industries may be subject to laws or regulations that impose specific requirements for preventing and responding to contagious diseases, many of which may have been added or changed since the COVID-19 pandemic.  Businesses should verify their policies meet or exceed current federal, state, local and contractual requirements as well as are designed to meet their business’ need to manage other contagious disease costs, absences and other disruptions.

Whether or not a business is subject to specific contagious disease management mandates, all businesses generally will benefit from reviewing and communicating their existing contagious disease and related leave and other workforce policies to workers and management to help protect their operations against the costs, operational disruptions and liabilities that often result from contagious disease outbreaks within their workplace. To enhance efforts to deter worker injuries and illnesses, businesses should consider using free resources like the Centers for Disease Control’s Healthy Habits to Prevent Flu and 8 Tips for a Safe and Healthy Holiday Season flyers, workplace posters, payroll stuffers and other communications to remind workers and their families to follow best safety and contagious disease prevention practices during the holidays.

Along with encouraging workers to stay healthy and safe during the Holidays, businesses should also consider providing documented reminders and take other steps to encourage workers to provide timely notice of illnesses and injuries and verify appropriate management coverage and arrangements to ensure that management team absences don’t disrupt the business’ timely delivery of Family and Medical Leave Act, occupational injury and other notifications, coverage for absences, provision of benefits, and other performance of other responsibilities in response to injury and illness reports despite holiday associated absences or hours of operation impacting the employing business or its responsible vendors.

Businesses also should verify their workplace safety, contagious disease and leave policies are designed and administered to prevent and mitigate exposure for unlawful OSH Act and worker’s compensation retaliation, disability discrimination against legally protected employees with chronic or other disabilities under the Americans with Disabilities Act (“ADA”), denial of leave or other violations of the Family and Medical Leave Act leave, notice and other requirements; and ADA and other privacy and confidentiality laws.

Alcohol & Other Conscious Altering Substance Consumption

The increased prevalence of holiday season celebrations and vacations often fuels an increase in consumption of alcohol, marijuana, and other consciousness-altering substances. This consumption can fuel a host of risks and headaches for businesses. Businesses concerned about these risks should act proactively to mitigate these risks.

When addressing business-related alcohol consumption, many businesses will want to consider not only alcohol and other conscious altering consumption at business-related events as well as potential costs that may arise from off-duty excess alcohol consumption. Whether resulting from on or off-duty consumption, excess alcohol, marijuana or other conscious altering consumption, whether on or off duty, can undermine productivity, create attendance and discipline issues, and fuel a host of other risks even when it does not result in a specific accident or injury.

Impaired judgment from alcohol or other intoxication in the workplace or at other events often fuels or contributes to employees or others exhibiting or subjecting employees to inappropriate sexual advances or other discriminatory statements, violent behavior, suicidal behavior or other problematic conduct requiring workplace investigations and discipline.

Most businesses also recognize that accidents caused by alcohol or other intoxication at work or work-related functions create substantial liability exposures for the company under the OSH Act and other occupational safety laws, as well as to workers and any third parties injured by a drunken employee, business associate, client or guest.   

Businesses risk “dram shop” or other claims or other liability if employees or guests impaired by alcohol or other substances consumed at company-sponsored or associated events or operating company vehicles or equipment injure others.

Beyond this third-party liability, businesses also may incur significant worker’s compensation, health or disability benefit-related benefit costs if an employee is injured or injures another worker in an alcohol-related accident.   

The potential headaches are even greater where the business is a health care, education, automobile sales, trucking and other transportation, or another business subject to or that has voluntarily adopted specific drug and alcohol-free, drug and alcohol testing and other related regulatory or contractual requirements. Businesses subject to these requirements should ensure appropriate arrangements for timely drug and alcohol testing, reporting, and other compliance with these requirements during the holiday season to avoid regulatory or contractual penalties for noncompliance. Companies administering substance abuse testing must comply with applicable mandates while also ensuring that their processes incorporate appropriate protocols to comply with disability discrimination, accommodation and confidentiality requirements of the Americans With Disabilities Act (“ADA”). See, e.g., ADA May Require Employers To Accommodate Employees Testing Positive For Legally Prescribed Medications

 Also, because workers engaged in these industries generally risk loss of licensure, certification or other credentials required to perform their jobs for engaging in or failing to report certain alcohol or substance-related offenses or conduct, even off-duty consumption can create staffing headaches for an employer if a worker becomes temporarily or permanently disqualified to work as a result of a substance-related infraction. Consequently, businesses in industries affected by these heightened requirements have a heightened interest in educating and reminding workers to behave legally and responsibly when deciding if and when to consume alcohol or other conscious-altering substances.

Accordingly, virtually all businesses can benefit from encouraging employees to be responsible when consuming alcohol in both business and non-business functions and in planning and hosting holiday functions. 

Businesses that serve alcohol at company functions or anticipate that employees will attend other business functions where alcohol will be served need to consider the potential liability risks that may result if the alcohol-impaired judgment of an employee or other guest causes him to injure himself or someone else.  A company anticipates an employee or guest might consume alcohol at a company-sponsored or another business event and should adopt and enforce clear policies to prohibit and prevent individuals from over-imbibing and from driving under the influence.  Many businesses also find it beneficial to suggest, require or offer at company expense alternate transportation for employees to use when leaving a company or business-related event where the employee consumed alcohol. 

Businesses concerned with these liability exposures should take steps to manage the potential risks that commonly arise when employees, clients or other guests consume alcohol at company-sponsored events or while attending other business-associated festivities. To minimize these risks at company-sponsored events, many companies elect not to serve or limit alcohol consumed by workers and served to guests at company sponsored events and other business functions.

To help prevent intoxication from fueling inappropriate behavior at company celebrations where alcohol might be consumed or present, businesses, at a minimum, should remind employees that company policies prohibiting intoxication apply to company-sponsored social and business events.  Some practical tips for hosting safe holiday gatherings include:

  • Management and other leaders should communicate expectations and set a good example.
  • Reduce opportunities for intoxication by prohibiting or restricting and monitoring the amount of alcohol available and served.
  • Offer a plentiful supply of a variety of nonalcoholic drinks—water, juices, sparkling sodas. Nonalcoholic drinks provide guests with alternatives to alcohol.  They also may help counteract the dehydrating effects of alcohol, slow the rate of alcohol absorption into the body and may reduce the peak alcohol concentration in the blood.
  • Provide a variety of healthy foods and snacks. Food consumption can slow the absorption of alcohol and reduce the peak level of alcohol in the body by about one-third. Food can also minimize stomach irritation and gastrointestinal distress the following day.
  • Encourage guests to help keep each other safe by monitoring and assign a team to monitor attendees for potential overconsumption or other signs of intoxication.  With appropriate pre-consumption notification to attendees, some businesses even require or encourage attendees consuming alcohol to take a breathalyzer test before departure to minimize the risk that an intoxicated guest will be arrested or involved in an accident after departing the party.
  • Help your guests get home safely by arranging reliable transportation by using designated drivers and taxis. Anyone getting behind the wheel of a car should not have ingested any alcohol.

Because holiday-associated alcohol consumption and other stresses also tend to fuel increased depression, domestic violence and other stress-associated behaviors, many businesses also find it beneficial to redistribute information about employee assistance programs (EAPs).

Businesses also may want to review the adequacy of existing health, disability, accident and dismemberment, group legal services and other benefit programs, liability insurance coverage and employment policies to protect and promote the company’s risk management and workforce coverage objectives.  Businesses can experience unfortunate surprises if they don’t anticipate the implications of these provisions on their employment policies, leave and benefit, safety and other workplace programs and liability insurance and indemnification obligations and costs. Maintaining and reminding workers about policies regarding alcohol consumption or intoxication, accident and traffic offense notifications, privacy waivers, or other policies enhancing accident investigation and response, or other strategic policies can help deter and facilitate investigation and response to on and off-duty accidents or other risk-creating events. 

Many employee assistance (“EAP”) health and disability programs incorporate special provisions affecting injuries arising from inappropriate alcohol use as well as offer coverage and benefits to aid employees and family members affected by mental health or substance abuse-related conditions. Changes in regulatory mandates and expanded enforcement of federal group health plan mental health and substance abuse coverage mandates make it important to ensure that employment-based health coverage complies with these requirements. Similarly, many businesses increasingly qualify for preferential rates or discounts on liability policies based upon representations that the business has in effect certain alcohol and drug use or other risk management policies and practices.  Reviewing these policies now to become familiar with any of these requirements and conditions can also be invaluable in helping a business respond effectively if an employee or guest is injured in an alcohol-related accident.

Discrimination & Harassment Liability Risks

Businesses should also manage exposures to religious, sex and other discrimination risks linked with the holiday season.   

Businesses should critically review their scheduling and other holiday season plans and practices for potential prohibited discrimination or other insensitivity. Businesses should use care to handle carefully requests for religious-based scheduling changes, particularly in light of changes in judicial precedent and regulations in recent years.  Leave policies should disclose policies for scheduling and holiday leave clearly and include appropriate, updated policies and procedures for requesting religious accommodation.  Companies also should consider seeking advice from legal counsel before denying a faith-based request for a schedule change in light of the latest guidance or recent court decisions precedent.

Business-sponsored or connected holiday or year-end parties, communications, gifts, and other December festivities and observances should be designed to reflect appropriate sensitivity to sexual harassment and religious and other cultural diversity risks.  Businesses should exhibit sensitivity and alert their workforce to their expectation that members of their workplace exhibit respect and sensitivity to differences in religious practices and observances among their employees, business associates and friends. Management and other workers should use care to plan social gatherings to be inclusive and to accommodate differences in cultural, religious and other differences. Businesses also should be sensitive to the potential that workers of alternative faiths may feel discriminated against if holiday observances focus unduly on a particular religion to exclude their faith.  Businesses also should use care to manage other discrimination exposures in the planning of holiday festivities, gift exchanges, and other activities. Businesses also should be vigilant in watching for signs of inappropriate patterns of discrimination in the selection of employees invited to participate in company-connected social events and off-duty holiday gatherings sponsored by managers and supervisors.

A good starting point is reminding employees, business partners and customers that the company expects employees, business partners and other guests to adhere to company rules against sexual harassment, religious and cultural and other inappropriate discrimination at company-sponsored and other gatherings involving other employees or business associates. Businesses also should remind employees that the company does not expect or require that employees submit to unwelcome sexual, religious, or other inappropriate harassment or discrimination when participating in parties or other social engagements with fellow employees, customers or other business partners and of the procedures to follow to report any concerning events.  Even a simple e-mail reminder to employees that the company expects them to be familiar with and comply with these policies and can help promote compliance and provide helpful evidence if an employee or other celebrant steps over the line.

To enhance the effectiveness of these reminders, a business should consider adopting and sharing specific guidance to educate workers about its policies, including examples to illustrate company-sponsored and other off-duty holiday-associated activities of particular concern. 

Businesses also should recognize that whether or not company-sponsored, the fraternization inherent in holiday parties and other celebrations where employees celebrate with other employees, clients, suppliers or other business associates can lower inhibitions and obscure the line between appropriate and inappropriate social and business behavior. With or without alcohol, some employees, clients or business associates may misinterpret the festive social atmosphere of holiday celebrations.  Some employees, clients or business associates make unwelcome sexual advances, make sexually suggestive or other inappropriate statements, or engage in other actions that expose the business to sexual harassment or other employment discrimination, harassment or retaliation liability. To help deter inappropriate or risky conduct, businesses should consider providing reminders that company prohibitions and rules about sexual harassment, discrimination, fraternization and other inappropriate conduct remain in effect during the holiday season, including when planning or attending holiday celebrations or other events hosted by the business, business partners and clients, and even private management sponsored events and observances.

Gift Giving, Gratuities & Social Entertainment

The exchange of social invitations, gifts and gratuities during the holiday season or at other times throughout the year also can raise various concerns. Businesses should adopt and communicate clear policies and procedures governing both giving and receiving social invitations, gifts, and other benefits.  Businesses should review applicable governmental regulations, contractual requirements, and customer and vendor policies for requirements that could impact the offering, receipt, reporting or other handling of gifts, social invitations or other activities. Businesses also should design policies to ensure that they collect and retain sufficient documentation from employees, officers, consultants, customers, and vendors to monitor compliance and other legal and operational risks associated with social entertainment, gifts, and other similar benefits, to report tax deductions and income arising from these activities appropriately, and to meet other compliance obligations. Businesses should review and update current business policies affecting social entertainment, gifting and other similar activities for opportunities to promote compliance and mitigate risks.

As with other holiday observances, all gifts, gratuities and social entertainment must adhere to applicable laws, regulations and company policies regarding bribery, conflict of interest or other inappropriate inducements or rewards. Companies should implement and enforce appropriate policies for the offering and provision of and recordkeeping and reporting of these perks.

Gifts, gratuities and entertainment practices also must not discriminate inappropriately based on sex, religion or other protected status and must reflect appropriate sensitivity to potential religious, sex, race, or other protected status. A business that anticipates workplace or work-connected private festivities might include white elephant or other gift exchanges may wish to specifically include a reminder to exercise care to avoid selecting a gift that may be sexually suggestive, insensitive to religious, cultural or other differences or otherwise offensive.   

Businesses also should confirm that all applicable tax implications arising from the giving or receiving of gifts are appropriately characterized, documented and reported in accordance with applicable tax, referral, conflict of interest and other requirements.

In addition to ensuring proper tax documentation and reporting, businesses also need to ensure and retain documentation of the propriety of invitations, gifts and other benefits.  Social entertainment and gift-giving activities intended to show appreciation or support marketing efforts can create significant legal or relationship risks if not properly tailored to avoid regulatory or contractual prohibitions or appearances of impropriety.  Government contractors, government officials, health care providers, nonprofits, public companies and an amazingly broad range of other entities often must comply with specific statutory, regulatory, contractual or ethical requirements affecting the giving or receiving of invitations, gifts or other preferences.  An ill-conceived social invitation, gift, or other benefit that violates these restrictions may expose both givers and recipients to legal prosecution, program disqualification and other serious legal risks. 

In addition to these externally imposed legal mandates, many businesses have established their own conflict of interest, social entertainment, gift giving or other policies to minimize the risk that employee loyalty or judgment will be comprised by gifts offered or received from business partners or other outsiders.  Employees, officers and contractors of businesses maintaining these policies may face termination or other significant discipline for violating these requirements.  Accordingly, businesses offering social invitations, gifts and other benefits to valued vendor or customer relationships risk must be sensitive to these organizationally imposed requirements. 

Timekeeping, Performance, Attendance & Time Off

Businesses also commonly face a range of year-end timekeeping, attendance and time off, pay, compensation and productivity concerns.  The winter cold and flu season and other post-celebration illnesses, vacations, and winter weather inevitably combine to fuel a rise in absenteeism and competing requests for time off during the holiday season.  Improperly designed or out-of-date timekeeping and reporting, leave and attendance, investigations, privacy and other workplace policies can exacerbate management of these challenges and their costs. Further complications can arise when dealing with employees suspected of mischaracterizing the reason for their absence or otherwise gaming the company’s time off policies. Meanwhile, performance and productivity concerns also become more prevalent as workers allow holiday shopping, personal holiday preparations, and other personal distractions to distract their performance. 

Managing staffing needs and tracking and administering timekeeping, overtime and other pay, paid and unpaid time off and other attendance, compensation and absence administration while maintaining compliance with legally protected or other legitimate requests for excused time off by employees can present major headaches for businesses and their management.  Recent changes in federal, state and local paid and other protected leave mandates add additional traps for the unprepared. Businesses concerned with these challenges ideally will review their policies and practices to ensure their organizations have in place well-designed policies and practices concerning timekeeping, overtime and other pay, attendance and time off, productivity and performance that comply with the Fair Labor Standards Act and other compensation, timekeeping, leave, reporting, investigations, privacy and other federal, state and local laws. Businesses should exercise care when addressing productivity and attendance concerns to investigate and document their investigation before imposing discipline. Businesses also should ensure that their policies are appropriately and even-handedly administered.  They also should exercise care to follow company policies, to maintain time records for non-exempt workers, to avoid inappropriately docking exempt worker pay, and to provide all required notifications and other legally mandated rights to employees taking medical, military or other legally protected leaves. In the event it becomes necessary to terminate an employee during December, careful documentation can help the business to defend this decision.  The increasing prevalence of worker classification challenges by federal and state agencies and plaintiff’s attorneys also makes it important for businesses to take steps to require and preserve access to documentation be able to demonstrate compliance with these and other applicable legal obligations by staffing and other contract labor suppliers.

Timely Investigation, Notification & Reporting

Businesses faced with allegations of discrimination, sexual harassment or other misconduct or potential business liabilities arising during holiday seasons should also take steps to ensure that appropriate staffing and other arrangements to ensure their organization’s ability to promptly investigate, if necessary, take appropriate corrective action to address complaints or other concerns arising during the holiday season around management or other time off. 

Delay in investigation or redress of accidents, discrimination or other concerns can increase the liability exposure of a business presented with a valid complaint and complicate the ability to defend charges that may arise against the business.  Additionally, delay also increases the likelihood that a complaining party will seek the assistance of governmental officials, plaintiff’s lawyers or others outside the corporation in the redress of his concern.

If a report of an accident, act of discrimination or sexual harassment or other liability related event arises, businesses should take steps to ensure that management responsible for responding to these and other occurrences are property trained or otherwise supported to carry out these responsibilities in an appropriate, defensible manner as well as to provide timely notification as needed to any government entities, contract partners, insurers, agencies or other parties.  Injuries occurring at company related functions often qualify as occupational injuries subject to worker’s compensation and occupational safety laws.  Data breaches and various other events may trigger notification or other disclosure obligations to meet statutory, contractual or other requirements.  Likewise, automobile, cyber, employment practices and other liability policies often require covered parties to notify the carrier promptly upon receipt of notice of an event or claim that may give rise to coverage, even though the carrier at that time may not be obligated to tender a defense or coverage at that time.  Ensuring appropriate, timely response can play a critical role in promoting defensibility, mitigating liability or preserving coverage or indemnification rights.

For Help With Investigations, Policy Updates Or Other Needs

If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance-related concerns, please contact management attorney and consultant Cynthia Marcotte Stamer.

An attorney Board-Certified in Labor and Employment Law by the Texas Board of Legal Specialization, Ms. Stamer’s work focuses on helping management manage performance, legal compliance and operational risks.

For more than 35 years, Ms. Stamer’s work has advised businesses and business leaders about enhancing the effectiveness and defensibility of their operations using employment and other workforce and services management, employee benefits, compensation, performance management, contracting, Federal Sentencing Guideline and other compliance and risk management, investigations, and other legal and operational tools and solutions.  While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others with compliance with federal and state equal employment, compensation, health and other employee benefits, workplace safety, leave, and other labor and employment, privacy and data security, and other laws, advises and defends businesses against labor and employment, employee benefit, compensation, fraud and other regulatory compliance and IRS, Department of Labor, Department of Justice, SEC,  Federal Trade Commission, HUD, HHS, DOD, Departments of Insurance, Department of Health, Department of Agriculture and other federal and state regulators.

Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters.

Her work, thought leadership and scholarship on helping organizations manage people, operations and risk have earned her recognition as a Fellow in the American College of Employee Benefit Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law.”

For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

Other Helpful Resources & Information

If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources like:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication, click here.  If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.

NOTICE:  These materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice, a substitute for legal advice, an offer or commitment to provide legal advice or an admission. The information and statements in these materials may not address all relevant issues or apply to any particular situation or circumstances.  The author reserves the right to qualify or retract any of these statements at any time. and does not necessarily address all relevant issues. Because the law evolves, subsequent developments could impact the currency and completeness of this discussion. The author disclaims and has no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers are urged to engage competent legal counsel for consultation and representation at any time, considering the specific facts and circumstances presented in their unique circumstances. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from using this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.  Circular 230 Compliance. The following disclaimer is included to comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2024 Cynthia Marcotte Stamer.  All rights reserved.

Comments Off on Workforce Strategies For Avoiding Holiday Liability Hangovers | ADA, Civil Rights, compliance, Corporate Compliance, directors, Disability, Disability Discrimination, Disability Leave, Disability Plans, Discrimination, Drug & Alcohol, Drug Testign, Drug Testing, EEOC, Emergency, Employer, Employers, Employment, Employment Discrimination, Employment Policies, enforcement, family leave, FLSA, FMLA, FMLA, Fringe Benefits, health benefit, Health Benefits, Health Plans, HR, Human Resources, Leave, medical leave, Overtime, religious accommodation, Religous Discrimination, Risk Management, Safety, Sex Discrimination, Sexual Harassment, Worker, Workers' Compensation, workfirce, Workforce, workplace violence | Tagged: , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

AHIP Survey Shows Workers Value Employer-Provided Health Coverage

November 26, 2024

Public support and appreciation for employer-sponsored healthcare continues to run high, according to the results of a national online survey of 1,000 people with employer-provided coverage conducted by the research firm LSG on AHIPA from July 10-19, 2024. The survey results reflect employer-provided health coverage remains an important tool for employee recruitment and retention and widespread opposition to public policy changes that would replace employer-provided coverage with government-provided benefits or tax employer-provided coverage or benefits.

AHIP commissioned the survey to understand the perceptions, priorities, and expectations of consumers with employer-provided coverage about their current coverage and benefits, employers, and public policy impacting their coverage and compare their attitudes against results of a survey conducted in April 2023. LSG reports the survey has a margin of error of +/- 3% and was balanced to national demographics for gender, age, and region. AHIP announced the results of the survey on November 13, 2024.

According to AHIP, 50% of Americans received their health coverage from employer-provided plans. The survey responses revealed:

  • A growing majority of consumers (75%,+12% since April 2023) are satisfied with their current employer-provided coverage.
  • 66% (+12%) are satisfied with the current health insurance system overall
  • Comprehensive coverage, affordability, and choice of providers their plans provide are key factors in creating this satisfaction
  • 71% (+12%) feel the quality of their current health plan is high
  • 74% (+6%) prefer to get their coverage through their employer over a federal or state government program
  • Costs remain a top consumer concern and a leading source of plan dissatisfaction, 66% (+13%) of respondents reported that what they currently pay for their coverage overall is reasonable and helps to lower their health care costs
  • While unhappy with coverage costs, 63% of respondents identified the comprehensiveness of coverage as a greater priority than affordability (31%).
  • Benefits most valued by respondents were emergency care (65%), prescription drugs (63%), and preventive care (57%).
  • 88% of respondents reported their health plan covers preventive
  • services (88%), provides access to top providers (78%), and gives them financial peace of mind if something bad were to happen (75%).
  • 53% of respondents reported feeling employer-provided coverage is effectively meeting children’s mental health needs and 61% reported believing the need for mental health care for children will increase.
  • 67% of respondents reported considering it important for health insurance plans to cover telehealth services
  • 76% of respondents reported believing it’s important for the federal government to maintain the COVID-19 telehealth flexibilities for patients

The survey also reflects the continued value of employer-provided health coverage in attracting and retaining employees. Sixty-one percent of respondents said health coverage plays an impactful role in employee recruitment and 80% reported health coverage was a reason for staying in their current position. Once informed that the average company pays 70-80% of the cost of coverage, a majority of respondents (71%) reported having a more favorable impression of companies that provide their employees with health insurance benefits.

The satisfaction and support from the study reflect likely opposition by workers to changes proposed by some politicians to change the current tax treatment of employer-provided coverage to tax employee health benefits. The survey found a growing majority oppose taxing employee health benefits (58%, +6%), and an even greater majority would be less likely to vote for a lawmaker who supports taxing them (63%).

Review the complete report of survey results here

If you have questions about health plan design, administration or defense, contact the author of this update, Cynthia Marcotte Stamer.

More Information

We hope this update is helpful. For more information about the these or other legal, management or regulatory concerns, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Management attorney and operations consultant Cynthia Marcotte Stamer uses a client objective oriented approach to help businesses, governments, associations and their leaders manage people, performance, risk, legislative and regulatory affairs, data, and other essential elements of their operations.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership. As a part of this experience, Miss Stamer has experience assisting clients with auditing, compliance, investigation and defense SCA, Davis-Bacon, Fair Labor Standards Act and other pay, benefits, compensation and fringe benefit concerns. 

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer’s work throughout her 35 year career has focused heavily on working with government contractors, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends businesses on Guideline Program and other compliance, risk management and other internal and external controls in a wide range of areas and has published and spoken extensively on these concerns.

Ms. Stamer also is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on workforce, compensation, and other operations, risk management, compliance and regulatory and public affairs concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving, and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on AHIP Survey Shows Workers Value Employer-Provided Health Coverage | Corporate Compliance | Tagged: , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

$100,000 Penalty Warning To Fulfill HIPAA Access Requirements

November 21, 2024

The $100,000 penalty paid by a mental health facility alerts health plans, health care providers and health care clearinghouses (“covered entities”) to the perils of failing to timely deliver health records access as required by the Health Insurance Portability and Accountability Act (“HIPAA”).

The $100,000 civil monetary penalty against California mental health provider Rio Hondo Community Mental Health Center (“Rio Hondo”) announced by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) on October 19, 202 is the fifty-first OCR enforcement action under its HIPAA Right of Access enforcement initiative.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules’ right of access provisions generally require covered entities to provide individuals access to their protected health information within 30 days, with the possibility of one 30-day extension and prohibits charging more than a reasonable, cost-based fee for this access.

The penalty against Rio Hondo resolves an OCR investigation into Rio Hondo over a failure to provide a patient with timely access to their medical records. OCR enforces the right of access and other requirements of the HIPAA Privacy Rule.

OCR launched an investigation after receiving a complaint from a patient that Rio Hondo did not provide timely access to their medical records, despite multiple requests in writing and by telephone. 

OCR’s investigation found that it took nearly seven months from the time the patient first requested the records until Rio Hondo provided them.

The patient made multiple telephone calls in July and August 2020, regarding the status of her request, but still did not receive the requested records until it produced the records in response to the investigation.

The late delivery of the records access did not end the enforcement action. Based on the facts, OCR found that Rio Hondo failed to take timely action in response to the patient’s right of access in accordance with the HIPAA Privacy Rule. 

In July 2024, OCR issued a Notice of Proposed Determination to impose a $100,000 civil monetary penalty. After Rio Hondo waived its right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination, OCR issued a Notice of Final Determination imposing the penalty. 

OCR’s announcement of the penalty includes a strong warning to other covered entities to comply with HIPAA’s access requirements. It quotes OCR Director Melanie Fontes Rainer. As stating:

Ensuring patients’ rights to timely access to medical information continues to be a HIPAA enforcement priority. Healthcare providers are legally obligated to provide patients with timely access to their medical records. If they fail to provide that access, OCR will not hesitate to do everything in its power, including imposing civil monetary penalties, to ensure compliance with the law.” 

While this penalty applied to a health care provider, health plans also are required to comply with the right of access rules.

With OCR promising to continue to prioritize enforcement, all covered entities should take documented steps to confirm the adequacy of their existing processes to ensure compliance with OCR’s Right of Access guidance and other applicable federal and state legal and ethical requirements like the Employee Retirement Income Security Act (“ERISA”) claims and appeals and Patient Protection and Affordable Care Act (“ACA”) adverse benefit procedures applicable to health plans and State ethical and statutory medical records delivery requirements applicable to providers. Health care providers also should consider including processes for tracking and monitoring access requests in these processes that provide for review every 30 days.Covered entities should keep records of these efforts for the six-year period required by HIPAA’s record retention rules.

Covered entities that receive follow up access requests or otherwise discover a potential failure to timely provide access should engage a HIPAA knowledgeable attorney for help and advice. Obviously, covered entities should correct any oversight promptly by delivering the records access. However legal counsel can assist by helping the covered entity assess if a violation actually occurred, avoid added violations or inflammatory communications or actions that could enhance exposures to complaints or penalties and suggest actions to help mitigate risks of an OCR investigation and penalties. For instance, past enforcement actions suggest a covered entity should consider foregoing requiring payment of charges HIPAA otherwise might allow for the records access to avoid further delay of access that could heighten penalty exposures. Covered entities also should document their delivery of access and their investigation and corrective actions addressing the source of the compliance failure.

The author of this update, Cynthia Marcotte Stamer has worked extensively with health plans on HIPAA, ERISA, the ACA on these and other HIPAA and other compliance and risk management. If you have questions or need advice or help evaluating or addressing your HIPAA compliance or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation.. 

Author of numerous highly regarded works on PBM and other health plan contracting and design,  Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with HIPAA and other legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  

As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

Author of many highly regarded compliance, training and other resources on HIPAA and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership on HIPAA and many other health care, health plan and other health industry matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on $100,000 Penalty Warning To Fulfill HIPAA Access Requirements | ACA, Association Health Plan, Brokers, Claims, Claims Administration, Corporate Compliance, corporate governance, Electronic Medical Record, Employee Benefits, enforcement, ERISA, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health centers, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, HIPAA, Human Resources, Managed Care | Permalink
Posted by Cynthia Marcotte Stamer

Hospital’s $14K FMLA Backpay Payment Cautionary Lesson For Other Businesses

November 15, 2024

Employers subject to the Family and Medical Leave Act (“FMLA”) should avoid getting nailed like Methodist Family Health by the U.S. Labor Department denying federally-protected family leave.

The Labor Department announced November 14, 2024 that Methodist Family Health paid $14,082 to resolve charges from an investigation by the Wage and Hour Division that found Methodist Family Health prematurely terminated a worker out on family medical leave in violation of the FMLA.

The Labor Department found the worker qualified for 12 weeks of protected leave for a serious medical condition and parental leave after their child’s birth, but the employer terminated the worker after nine weeks of leave.

The employer erroneously limited the worker’s amount of protected leave based on the combined use of leave between the worker and the worker’s spouse,who is also employed by the company.

In announcing the back pay award, Wage and Hour District Director Hanz Grünauer warned, “The U.S. Department of Labor will defend worker protections and flexibilities protected by law and pursue all available remedies when those rights are violated.” 

To help workers identify and report FMLA violations to the Labor Department, it offers a search tool for workers to file online complaints, search for back wages collected by the Labor Department workers think they may be owed, and understand and enforce other rights.

If you have questions about or need FMLA or other employment, benefits or compensation compliance assistance or defense, contact the author of this update, Cynthia Marcotte Stamer.

More Information

We hope this update is helpful. For more information about the these or other legal, management or regulatory concerns, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Management attorney and operations consultant Cynthia Marcotte Stamer uses a client objective oriented approach to help businesses, governments, associations and their leaders manage people, performance, risk, legislative and regulatory affairs, data, and other essential elements of their operations.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership. As a part of this experience, Miss Stamer has experience assisting clients with auditing, compliance, investigation and defense of FMLA and other leave, SCA, Davis-Bacon, Fair Labor Standards Act and other workforce, leave, pay, benefits, compensation and fringe benefit concerns. 

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer’s work throughout her 35 year career has focused heavily on working with government contractors, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends businesses on Guideline Program and other compliance, risk management and other internal and external controls in a wide range of areas and has published and spoken extensively on these concerns.

Ms. Stamer also is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on workforce, compensation, and other operations, risk management, compliance and regulatory and public affairs concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving, and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Hospital’s $14K FMLA Backpay Payment Cautionary Lesson For Other Businesses | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Encourage Health Plan Members To Reevaluate Health FSA & HSA Contributions For 2025 Annual Limit Increases

November 10, 2024

Employment based health plans and their employer sponsors should encourage plan members to consider increasing the amount of their discretionary employee contributions to health savings accounts (“HSAs”) and health flexible spending account plans during their annual enrollment period to take full advantage of annual increased contribution limits for 2025 when completing their annual enrollment elections to take full advantage of potentially available tax-savings.

On May 10, 2024, the Internal Revenue Service (“IRS”) announced the 2025 maximum contribution limits for HSAs, the maximum Health Reimbursement Accounts (HRA) excepted benefit amount, and the minimum deductible and maximum out-of-pocket (“OOP”) expense limits under High-Deductible Health Plans (HDHP) in Rev. Proc. 2024-25.

2025 Inflation Adjusted HSA, HDHP, And HRA Amounts

The following adjustments apply to the calendar year 2025.

Annual HSA Contribution Maximum

  • $4,300 for single coverage, up $150 from $4,150 in 2024;
  • $8,550 for family coverage ($250 increase from $8,300 i 2024)
  • The annual catch-up contribution for HSA-eligible individuals aged 55 or older remains $1000.

2025 HDHP Minimum Deductible

  • $1,650 for single coverage ($50 increase from $1,600 in 2024)
  • $3,300 for family coverage ($100 increase from $3,200 in 2024)

HDHP Maximum Out-Of-Pocket

  • $8,300 for single coverage ($250 increase from $8,050 in 2024)
  • $16,600 for family coverage ($500 increase from $16,100 in 2024)

Health plans, health plan fiduciaries, service providers and administrators can help ensure both the health plan members and their sponsor realize the full tax benefits by ensuring plan enrollment and other communications are updated to communicate the limits as well as the importance for plan members to take into account annual increases in the limits when making their enrollment choices.

If you have questions about these or other health plan design or administration or need SCA compliance assistance or defense, contact the author of this update, Cynthia Marcotte Stamer.

More Information

We hope this update is helpful. For more information about the these or other legal, management or regulatory concerns, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Management attorney and operations consultant Cynthia Marcotte Stamer uses a client objective oriented approach to help businesses, governments, associations and their leaders manage people, performance, risk, legislative and regulatory affairs, data, and other essential elements of their operations.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership. As a part of this experience, Miss Stamer has experience assisting clients with auditing, compliance, investigation and defense SCA, Davis-Bacon, Fair Labor Standards Act and other pay, benefits, compensation and fringe benefit concerns. 

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer’s work throughout her 35 year career has focused heavily on working with government contractors, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends businesses on Guideline Program and other compliance, risk management and other internal and external controls in a wide range of areas and has published and spoken extensively on these concerns.

Ms. Stamer also is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on workforce, compensation, and other operations, risk management, compliance and regulatory and public affairs concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving, and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

 

Comments Off on Encourage Health Plan Members To Reevaluate Health FSA & HSA Contributions For 2025 Annual Limit Increases | Corporate Compliance | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Federal Services Contractors & Subs Should Verify SCA Compliance

October 31, 2024

Businesses contracting or subcontracting with the federal government should verify their worker classification, pay and benefit practices comply with applicable federal prevailing wage, benefit and other requirements to avoid incurring expensive lesions like the one Crystal Enterprises Inc. is learning after a U.S. Department of Labor Wage and Hour Division (“WHD”) investigation determined its practices violated the McNamara-O’Hara Service Contract Act (“SCA”).

SCA Prevailing Wage & Fringe Benefit Mandates

SCA contract clauses require contractors and subcontractors performing services under federal prime contracts in excess of $2,500 to pay service employees in various classes no less than the local prevailing wages and fringe benefits for corresponding work on similar projects in the area or the rates (including prospective increases) contained in a predecessor contractor’s collective bargaining agreement. The SCA also requires these businesses to ensure they apply proper job classifications, rates of pay, benefits and prerequisites when paying workers on their federal contracts and keep appropriate documentation to prove compliance.

The SCA generally applies to contracts entered into by federal and District of Columbia agencies that have as their principal purpose furnishing services in the U.S. through the use of “service employees.” The definition of “service employee” includes any employee engaged in performing services on a covered contract other than a bona fide executive, administrative, or professional employee who meets the exemption criteria set forth in 29 CFR Part 541.

However, the SCA does not apply to certain types of contract services. The contracts exempt from SCA coverage include:

  • Contracts for construction, alteration, or repair, including painting, and decorating, of public buildings or public works (these are covered by the Davis-Bacon Act);
  • Work required in accordance with the provisions of the Walsh-Healey Public Contracts Act;
  • Contracts for transporting freight or personnel where published tariff rates are in effect;
  • Contracts for furnishing services by radio, telephone, telegraph, or cable companies subject to the Communications Act of 1934;
  • Contracts for public utility services;
  • Employment contracts providing for direct services to a federal agency by an individual or individuals;
  • Contracts for operating postal contract stations for the U.S. Postal Service;
  • Services performed outside the U.S. (except in territories administered by the U.S., as defined in the Act); and
  • Contracts subject to administrative exemptions granted by the Secretary of Labor in special circumstances because of the public interest or to avoid serious impairment of government business.

SCA Violations Costly

Violations of the SCA can trigger costly consequences. Violations can result in liability to workers for unpaid wages and benefits as well as the withholding of contract payments in sufficient amounts to cover wage and fringe benefit underpayments, contract termination and liability for any resulting costs to the government, legal action to recover the underpayments, and debarment from future contracts for up to three years.

The Crystal Enterprises enforcement action illustrates one of these costly surprises that businesses violating these rules can incur. Crystal Enterprises is paying $109,127 in back wages employees to resolve exposures from a WHD investigation that concluded it failed to pay required prevailing wage and health and welfare benefits to 55 employees working at a U.S. Air Force training center dining facility on Eglin Air Force Base in Florida under a subcontract to perform full food services at the training center dining facility on the Base. The investigation found by doing so, WHD also concluded Crystal Enterprises also paid workers lower rates of pay for holidays and sick leave and vacation time used.

Federal Services Contractors Must Manage Compliance

Federal contractors subject to the SCA should take documented efforts to verify compliance and avoid common mistakes including: 

  • Underpayment of service workers due to misclassification;
  • Erroneously considering workers exempt without regard to 29 C.F.R. Part 541 rules;
  • Failure to make timely payment of wages or fringe benefit contributions;
  • Lack of proper recordkeeping when cash payments are made to satisfy fringe benefit requirements;
  • Failure to notify service employees of the applicable wage and fringe benefit requirements, or failure to post the “Notice to Employees Working on Government Contracts” at a prominent and accessible place at the worksite;
  • Failure to use the conformance procedure for unlisted classes of employees;
  • Failure to segregate and keep records on hours spent on contract work and non-contract work for employees who do both; and
  • Failure to implement rate increases (if any) in a new wage determination in a multi-year contract subject to annual appropriations.

If you have questions about or need SCA compliance assistance or defense, contact the author of this update, Cynthia Marcotte Stamer.

More Information

We hope this update is helpful. For more information about the these or other legal, management or regulatory concerns, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Management attorney and operations consultant Cynthia Marcotte Stamer uses a client objective oriented approach to help businesses, governments, associations and their leaders manage people, performance, risk, legislative and regulatory affairs, data, and other essential elements of their operations.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership. As a part of this experience, Miss Stamer has experience assisting clients with auditing, compliance, investigation and defense SCA, Davis-Bacon, Fair Labor Standards Act and other pay, benefits, compensation and fringe benefit concerns. 

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer’s work throughout her 35 year career has focused heavily on working with government contractors, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends businesses on Guideline Program and other compliance, risk management and other internal and external controls in a wide range of areas and has published and spoken extensively on these concerns.

Ms. Stamer also is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on workforce, compensation, and other operations, risk management, compliance and regulatory and public affairs concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving, and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Federal Services Contractors & Subs Should Verify SCA Compliance | compensation, Corporate Compliance, Employee Benefits, Employer, Employers, Fringe Benefit, Fringe Benefits, Government Contractors | Permalink
Posted by Cynthia Marcotte Stamer

UHG/Change Health Breach Highlights Health Plan Cyber-Related Duties

October 25, 2024

The sweeping threat risk ransomware attacks present for health plans, their fiduciaries, business associate and other service providers, employer and other plan sponsors and their participants and beneficiaries is driven home by the disclosure of United Health Group (“UHG”) subsidiary Change Health to the Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) that it now has sent approximately 100 million individuals individual breach notifications that the February 21, 2024, Blackcat 1234 ransomware attack Change Health experienced impacted their electronic personal health information (“ePHI”). With health plans particularly exposed to the rising epidemic of ransomware threats, health plans, their fiduciaries, employer and other health plan sponsors and service providers face growing imperatives to tighten up both their compliance and risk management against these cyber threats.

Health Plans, Their Fiduciaries, Sponsors and Service Providers Face Health Plan Related Cybersecurity Responsibilities & Risks

The UHG Change Health breach and its evolving fallout provides a timely reminder to health plans and insurers, their fiduciaries, plan sponsors, vendors and leaders to ensure their own timely and prudent steps both to respond to fallout from the UHG breach as well as to prevent, prepare for and respond to other future cyber threats direct threats to their own data and systems as well as indirect threats arising from ransomware, malware and other cyber events affecting business associates and other service providers, the plan sponsor, health care providers and other third party systems and data interfacing with their own systems and data.

Health plans and their business associate service providers face detailed responsibilities to prevent access, use, disclosure or destruction of electronic (“ePHI”) and other personally identifiable information (“PHI”) except as allowed by the Health Insurance Portability and Accountability Act (“HIPAA”) and to notify individuals of breaches of their ePHI in accordance with HIPAA’s breach notification rules. As part of these rules, HIPAA also restricts the circumstances that health plans legally can allow employers or their representatives to access or use health plan PHI without a HIPAA-compliant authorization from the applicable individual. The months-long delay in Change Health’s ability to identify the individuals whose ePHI was impacted by the February 21, 2024, breach demonstrates the challenges that ransomware and other malware attacks to their own or their party systems can create for health plans, their fiduciaries and business associates in fulfilling these obligations as well as carrying out other critical plan functions. Aside from dealing with the immediate demands created by the breach, the Change Health breach and other similar events are the type of events that prompt an obligation under the HIPAA Security Rule for health plans and other HIPAA-covered entities to review and update their documented HIPAA Security Risk analyses and resulting safeguards for protecting the destruction, loss of use, unauthorized use or disclosure and other HIPAA required safeguards against future ransomware or other threats. Health plans and their fiduciaries should consult with experienced legal counsel about recommended processes for conducting and documenting this updated analysis.

Beyond these HIPAA mandates, the disruptions to health plan data and operations experienced by many health plans as a result of the UHG/Change Health breach also puts health plan on notice of the potential need for health plans, their fiduciaries and service providers to conduct a documented, prudent analysis of their health plan security, backup and recovery, and other systems to both protect ePHI and other sensitive health plan data and systems from unauthorized destruction, access, and disclosure that could disrupt health plan operations, allow use or disclosure of plan information other than for the exclusive benefit of the health plan, its participants and beneficiaries or both under fiduciary responsibility rules of the Employee Retirement Income Security Act (“ERISA”).

In weighing their fiduciary responsibility to safeguard the health plan, its data and systems against ransomware, malware and other cybersecurity threats, health plans and their fiduciaries should keep in mind that the Department of Labor Employee Benefit Security Administration (“EBSA”) interprets the prudence, exclusive benefit and other ERISA fiduciary responsibility requirements as applying to PHI, financial, and other health plan data and systems. As part of these discretion, or control (“fiduciaries”) generally should take documented steps to ensure their ability to defend the prudence of their efforts to protect health plan data and systems including:

  • To prevent disruptions to health plan systems and data from malware or other malicious or other events experienced by their health plan and its sponsors, service providers, and other third parties interfacing with health plan systems that could disrupt health plan enrollment, claims and appeals or other operations as well as against access, use or disclosure except as legally allowed for the exclusive benefit of the health plan participants and beneficiaries and in accordance with HIPAA;
  • To implement and administer appropriate contractual, audit, oversight, notification, cyber liability and other coverage and indemnification and other arrangements with business associates and other third parties whose interactions with the health plan create threats to the integrity and security of health plan systems and operations;
  • To plan and implement appropriate insurance, indemnity and other arrangement to pay for prudent investigations and other responses necessary to a known or suspected threat or breach impacting its health plan administration, data and systems;
  • To plan and implement appropriate monitoring, notification, investigation, response and recovery arrangements to position the health plan to resume and continue timely administration of health plan enrollment, claims, appeals and other operations in the event the health plan or its service providers are impacted by a cybersecurity or other event that impacts health plan data or administrative systems;
  • To ensure timely monitoring, notification and response to cyber and other threats to its systems and data to protect the health plan and its participants and beneficiaries from damages arising from cybersecurity and other threats to its systems and data;
  • To communicate prudently with participants, beneficiaries and others regarding cybersecurity and other events impacting the security of data and systems; and
  • To act prudently to ensure adequate monitoring and response to cybersecurity and other threats to health plan data and systems to prevent and mitigate disruptions to health plan data and systems that could disrupt the orderly and timely administration of their health plan.

Change Health/UHG Breach Highlights Health Plan Cyber Threats & Exposures

The sweeping disruptions to health plan and other operations arising from the UHG/Change Health ransomware attack graphically illustrate how malware and other cyber incidents can trigger catastrophic disruptions in health plan and other health industry operations whether experienced directly by the health plan or from the indirect effects of a cybersecurity event experienced by a third-party interfacing with the health plan.

Health plans are particularly at risk from ransomware, malware and other hacking threats. OCR breach reports confirm ransomware and hacking present the largest cyber-threats for health plans and health care providers. While most OCR HIPAA resolution agreements have involved health care providers, the largest HIPAA breaches and resulting HIPAA resolution payments to date have involved health insurers and their health plans.

Ransomware, hacking and other cyber risks present significant and growing threats to health plans and health care providers. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.

The UHG breach demonstrates ransomware and other breaches can have sweeping liability and operational disruptions that extend beyond the original victim and include but are rarely limited to HIPAA penalties.

In response to the growing threat revealed by this data, OCR increasingly has urged health plans and other covered entities to protect their data and systems against ransomware and other cyberattacks. Choice Health/UHG attack occurred just days after OCR announced the second of two HIPAA resolution agreements since October as well as published a series of other guidance warning covered entities and their business associates to guard against ransomware and other cybersecurity threats as part of their HIPAA obligations prompted by concern over exploding threats.

Historically, most health plans, their sponsors, fiduciaries, and business associates assumed they could rely upon their insurers or other service providers to handle breaches experienced by that vendor impacting their health plans or members. However, OCR HIPAA and EBSA ERISA guidance reflects that health plans and plan fiduciaries need to take prompt documented actions before, during and after an insurer or other plan administrative services provider experiences a cybersecurity incident.

While UHG struggles to recover and defend its actions before Congress, regulators, customers, plan members and patients, providers and others, health plans, their sponsors, fiduciaries, and vendor business associates need to ensure their ability to demonstrate and defend the adequacy of their own breach protections, response, and other compliance.

HIPAA Security & Breach Notification Responsibilities

While most health plans, their sponsors, fiduciaries and vendors expect Change Health and other UHG entities know UHG bears breach notification and other HIPAA responsibilities and to incur liabilities under HIPAA and other federal and state data privacy and cybersecurity laws, many health plan fiduciaries, sponsors, insurers, and administrative or other service providers don’t understand their own responsibilities to prevent and respond to the UHG and other cyber events potentially impacting their health plans under HIPAA. 

Guidance published by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) on March 13, 2023, alerts health plans and health insurers, their fiduciaries and plan sponsors, health care providers, health care clearinghouses, and their business associates (covered entities) against overlooking their own potential HIPAA responsibilities arising from the February 21 Choice Health attack or other similar events.

HIPAA requires covered entities and their business associates to protect the privacy and security of protected health information, to have and enforce HIPAA-compliant business associate agreements, to conduct timely documented risk assessments in response to known or foreseeable security threats, and to provide notice of a breach to OCR, affected individuals and for breaches affecting more than 500 individuals. This responsibility includes both protecting protected health information from unauthorized use or disclosure, as well as to prevent it from improper destruction or unavailability such as can result from a ransomware attack or other disaster.

Under the HIPAA Security Rule, covered entities must conduct documented risk assessments to evaluate and monitor their electronic personal health information (EPHI) and associated systems for potential breaches and other threats that expose EPHA to unauthorized use, access, disclosure, destruction or other compromise.

To fulfill this requirement, the Security Rule requires covered entities and business associates to conduct documented risk assessments impacting their EPHI and to update these risk assessments in response to internal or external events impacting the adequacy of their risk assessments or security safeguards.

While the responsibility of covered entities and business associates to protect EPHI against unauthorized use, access and disclosure from cybercriminals and others receives the most attention, the Security Rule also includes often less discussed responsibility to protect EPHI and related operating systems against destruction or other disruptions from a wide range of threats including ransomware attacks. 

OCR guidance makes clear that OCR views safeguarding EPHI against ransomware and other cybersecurity threats as encompassed in this duty.  As part of these efforts, OCR and other cybersecurity agencies have recommended among other things that covered entities and business associates:

  • Routinely take inventory of assets and data to identify authorized and unauthorized devices and software;
  • Prioritize remediation of known exploited vulnerabilities’
  • Enable and enforce multifactor authentication with strong passwords;
  • Close unused ports and remove applications not deemed necessary for day-to-day operations.

 See e.g., #StopRansomware: ALPHV Blackcat | CISA.

Furthermore, when a breach of results in an unauthorized use, access, disclosure or destruction of EPHI, the HIPAA Breach Notification Rule requires covered entities and their business associates to provide timely notification of the breach to subjects of the breached EPHI and OCR, and if the breach affects more than 500 subjects, to the media.  Concurrently, the HIPAA Security Rule requires health plans and other covered entities to evaluate through documented risk assessments and take appropriate timely action to update their EPHI security as necessary to respond to breaches, potential breaches and other evolving threats to their EPHI and related systems. 

On March 13, 2024, the Office of Civil Rights (OCR) released a “Dear Colleague letter” that warns the February 21, 2024 CH/UHG data breach is likely to trigger HIPAA obligations and investigations for Choice Health and UHG as well as other HIPAA-covered health plans, heath care providers, heath care clearinghouses and business associates.  While stating the investigation currently focuses on Change Healthcare and UHC, for instance, the Dear Colleague Letter warns that OCR anticipates that its response to the February 21, 2024 CH/UHG Attack eventually also will include “secondary” investigations of other health plans, health care providers, health care clearinghouses and business associates “tied to or impacted by this attack.”

In light of these anticipated secondary investigations, OCR’s Dear Colleague letter warns health plans, health care providers, health care clearinghouses, business associates to ensure they timely and properly handle their own potential HIPAA responsibilities arising from the CH/UHG Attack.  The Dear Colleague letter expressly alerts health plans, health care providers and other covered entities and business associates “that have partnered with Change Healthcare and UHG” in anticipation of OCR’s expected secondary investigations to ensure that their own ability to demonstrate their organization meet all required HIPAA responsibilities including that:

  • All required “business associate agreements are in place;
  • All required breach notifications are provided to HHS, affected persons and in the event of a large breach affecting more than 500 individuals, to the media; and
  • All security and other HIPAA responsibilities are met.

The Dear Colleague Letter also directed covered entities and their business associates to the following previously released OCR resources for assistance in understanding their responsibilities for guarding EPHI against ransomware and other cybersecurity threats:

  • The OCR HIPAA Security Rule Guidance Material webpage;
  • OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks;
  • OCR Webinar on HIPAA Security Rule Risk Analysis Requirement;
  • HHS Security Risk Assessment Tool;
  • Factsheet: Ransomware and HIPAA; and
  • Healthcare and Public Health (HPH) Cybersecurity Performance Goals.

Standing alone, the Dear Colleague Letter makes clear that all covered entities partnered with or impacted by disruptions from the CH/UHG attack need to take documented steps to reevaluate and tighten the adequacy of their existing security safeguards as well as their processes for monitoring and responding to evolving ransomware and other cybersecurity threats in anticipation of becoming the target of potential “secondary” OCR investigations arising from the CH/UHG Attack.

While the Dear Colleague Letter specifically references covered entities and business associates “partnered” with Choice Health, OCR’s previously issued guidance warning all covered entities and their business associates to safeguard their EPHI against ransomware and other cybersecurity threats, strongly suggest that all covered entities and business associates should consider the advisability of reevaluating the adequacy of their own EPHI safeguards in light of the heightened ransomware and other cyber threat illustrated by the CH/UHG Attack.  Consequently, all covered entities and business associates partnered with or impacted by the CH/UHG Attack or its resulting distributions specifically, as well as covered entities and business associates generally should work with experienced legal counsel to conduct documented risk assessments of their systems, exposures, responsibilities and risks taking into account these developments as soon as possible in anticipation of complaint or audit driven investigations arising from the Choice Health and other malware events and threats.

Health Plan Data Security & Breach Related ERISA Duties

In addition to any applicable HIPAA responsibilities, fiduciaries and sponsors of employer or union sponsored health plans subject to the Employee Retirement Income Security Act (ERISA) also should consider whether the CH/UHG Attack or the heightened ransomware and other cyber security threats any additional actions are prudently necessary to protect the health plan data, assets or operations.

ERISA generally requires individuals or entities named as fiduciaries or otherwise possessing functional discretionary authority or responsibility or authority over a plan or its assets (fiduciaries) to act prudently to protect and administer the plan and its assets.  Department of Labor Employee Benefit Security Administration (EBSA) guidance published in April, 2021 first officially confirmed its interpretation of ERISA’s duty of prudence as including a duty to utilize prudent cybersecurity safeguards.  Since EBSA published this cybersecurity guidance EBSA also has also added cybersecurity inquiries to its plan fiduciary audits. As a result, in addition to complying with HIPAA, ERISA-covered health plan fiduciaries and sponsors also should be prepared to demonstrate plan fiduciaries acted prudently to comply with HIPAA as well as the following actions to safeguard health and other employee benefit plan data and systems against cybersecurity threats:

  • Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
  • Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
  • Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

In light of this OCR and EBSA guidance, health plan sponsors, fiduciaries and vendors and other HIPAA covered entities and business associates are urged to take documented steps to audit and strengthen as needed their safeguards against hacking and other cybersecurity threats including:

  • In the case of any health plan or health plan vendor, taking well documented steps to assess and tighten as necessary their health plan systems and data security to meet or exceed the recommendation outlined in the EBSA cybersecurity guidance or otherwise necessary to prudently guard their plans and plan data and systems against cybersecurity threats.
  • Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
  • Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
  • Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
  • Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
  • Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
    violations or other indicia of potential security concerns.
  • Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
  • Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
  • Establishing and providing well-documented timely investigation and redress of reported
    violations or other compliance concerns.
  • Establishing contingency plans for responding in the event of a breach. 
  • Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
  • Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
  • Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Furthermore, while the preemption provisions of ERISA generally insulate health plans and their sponsors from responsibility or liability for complying with state insurance, data security, breach notification or other state law cybersecurity and cyber breach and breach notification laws and rules, health insurers and other health plan service providers generally remain subject to these state law requirements.  Consequently, health insurers, administrative service providers and other health plan vendors also should act promptly to evaluate and ensure their fulfillment of all applicable cybersecurity and data breach mandates under relevant state law.

Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders under state data privacy and breach, negligence or other statutory or common laws.  In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.  Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations and the Employee Benefit Security Administration recently has issued guidance recognizing prudent data security practices as part of the fiduciary obligations of health plans and their fiduciaries.

Health plans and other covered entities are reminded that appropriate strategic planning and use of attorney-client privilege and other evidentiary tools can critically impact the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making. Because HIPAA, EBSA and other rules typically require prompt investigation and response to known or suspected hacking or other cybersecurity threats, health plans and other covered entities or business associates should seek the assistance of experienced legal counsel to advise and assist in these activities to understand the potential availability and proper use of these and other evidentiary rules as part of the compliance planning process as well as to prepare for appropriate use in the event of a known or suspected incident to avoid unintentional compromise of these protections.

ERISA & Other Risks From Untimely Timely Acceptance & Processing of Health Plan Eligibility & Benefit Provisions

Since Change Health shut down its tools and systems CH/UHG Attack has created and continues to cause nationwide disruptions in the ability of pharmacy, physician and other health care providers to submit, and health plans and insurers to receive and process a wide range of health care billing, claims and other transactions because of the widespread integration and use of Choice Health tools in systems health care providers and payers use for the submission, receipt, and processing of health care provider eligibility, billing and other health benefits.  

Along with the liabilities and headaches that the ransomware attack and resulting disruptions create for Choice Healthcare and UHG, delays and other disruptions in the handling of health benefit eligibility, claims processing, notifications and payment by health plans and their administrative services providers arising from can create a host of additional liability headaches health plans, health insurers, their fiduciaries and administrative services providers in addition to those arising directly from the HIPAA and other cybersecurity breach itself.

For ERISA-covered health plans, ERISA generally holds health plans and their fiduciaries accountable for the prudent, timely administration of health plan eligibility, claims and other administrative functions in accordance with the terms of the plan and within the applicable time frames and other requirements of ERISA’s reasonable claims procedure and adverse benefit determination rules.  Health plans and their ERISA plan administrators generally must receive and process claims transactions required by the adverse claim determination regulations and provide participants or beneficiaries with detailed written notifications for any claims not processed and paid within the relevant 72-hour, 15-day or 30-day time period specified by the adverse claim determination rules.  Noncompliance with these requirements both undermines the defensibility of the health plan’s denial of coverage and subjects the plan administrator to liability for EBSA penalties and/or discretionary awards of penalties plus attorneys’ fees and other costs of enforcement to plan participants or beneficiaries for failures to deliver timely notification of the denial.  To the extent that EBSA or a court determines that the failure to timely and appropriately process and pay benefits resulted from a lack of prudence or other breach of ERISA fiduciary duties, fiduciaries are at risk for incurring personal liability for actual damages to the plan or its participants plus attorneys’ fees and other costs of enforcement; EBSA penalties for engaging in a breach of fiduciary duty under ERISA section 502(l); or both.

Beyond these ERISA-related risks, delays in processing and payment of health care provider claims also create potential additional liability for health insurers, health plans and their administrators to the extent the disruptions prevent the timely payment and processing of health benefit claims in violation of health care provider rights under managed care or other provider contracts, prompt pay and surprise billing or other provider legal rights.  Unlike member claims assigned to providers, ERISA generally does not preempt these nonderivative provider rights and claims or the additional state law damages, penalties or other remedies arising under state law against health insurers, health plans and plan administrators found to violate these rules. Consequently, delays in payments to providers also could substantially increase the costs and liabilities that health insurers, health plans, their fiduciaries, administrators, and employers and other sponsors obligated under the plan terms or vendor contracts to pay these costs.

In light of these and other potential risks, health insurers and health plans, their employer, union and other sponsors, fiduciaries, administrative services providers and other vendors should act quickly to investigate and ensure proper management of the fallout from the CH/UHG Attack and the heightened ransomware and other cybersecurity threats it represents.

Along with working with qualified legal counsel to address the potential HIPAA, ERISA and other responsibilities the health plan or insurer, its fiduciaries, service providers and sponsor bear from the CH/UHG Attack and other cyber risks, most parties also will want to evaluate obligations to notify cybersecurity and other liability insurers, seek indemnification from Choice Healthcare, UHG or other potentially culpable parties and evaluate other sensitive data and strategies for mitigation of their health plan and their own resulting liabilities, costs and other consequences.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters,  contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health and other benefit, health care and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Ms. Stamer is widely recognized and sought out for her knowledge and experience on health, employee benefits and other privacy and security. Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

A Fellow in the American College of Employee Benefit Counsel, Scribe for the Co-Chair of the American Bar Association (“ABA”) JCEB Annual Agency Meeting with HHS-OCR, ABA International Section Life Sciences and Health Committee and Vice-Chair and Chair Elect of its International Employment Law Committee, Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group Chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee and author of a multitude of highly-regarded publications on HIPAA and other cybersecurity, privacy, technology, employee benefits and health care publications, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

OCR’s warning and referencing of these resources strongly signals that OCR will hold health plans and business associates targeted for OCR investigation after experiencing or being impacted by a breach to demonstrate their fulfillment of these and other requirements. Accordingly, given OCR’s Letter and the continued heightened ransomware and other cyber security risk, health plans and other covered entities and business associates, their fiduciaries, sponsors, and vendors whether or not partnered with or impacted by the Choice Health/UHG should work with experienced legal counsel to conduct documented risk assessments of their systems, exposures, responsibilities and risks taking into account these developments as soon as possible in anticipation of complaint or audit driven investigations due to he UHG/Choice Health and other ransomware, malware and cybersecurity events and threats.

Based on existing OCR guidance, Choice Health/UHG and other known and evolving ransomware and other cyber attacks almost certainly warrant the need for those partnered or impacted by the breach to conduct documented, evaluations of the need to provide breach notification, as well as updated risk assessments. Moreover, given the widespread and continuing exposure to ransom and other cyber security risks referenced in the OCR and other reports, even those covered entities not partnered or impacted also need to conduct updated risk assessments based on the notifications of emerging risks, highlighted by that breach.

Along with updating risk assessments and resulting safeguards, covered entities, and business associates also clearly should ensure that they have and are enforcing up-to-date, business associate agreements, privacy practices and policies, and cyber threat monitoring, defense and response.impacted health plans, their employer and other sponsors, fiduciaries and business associates also should ask legal counsel about the availability of and notification and other requirements to qualify for indemnity or liability insurance coverage of breach-related claims and other options to mitigate or recover liabilities and costs arising from these and other breaches.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

R Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on UHG/Change Health Breach Highlights Health Plan Cyber-Related Duties | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Teva Pharmaceuticals’ $450M Settlement Penalty Shows Risks Of Participating In Pharma Anti-Kickback and Price Fixing Schemes

October 11, 2024

Subscribe to continue reading

Subscribe to get access to the rest of this post and other subscriber-only content.

Comments Off on Teva Pharmaceuticals’ $450M Settlement Penalty Shows Risks Of Participating In Pharma Anti-Kickback and Price Fixing Schemes | Corporate Compliance | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

PBM Lawsuit Against FTC Signals Growing Battle To Rein In PBMs

September 17, 2024

Employers, health plan sponsors and fiduciaries, health care providers and individuals concerned about prescription drug prices and access should carefully follow the rapidly accelerating battle between the Federal Trade Commission (“FTC”) and pharmacy benefit managers (“PBMs”), which threatens to reshape how pharmaceutical products are priced and sold to health plans and consumers.

At the center of the complex pharmaceutical distribution chain that delivers prescription medicines from manufacturers to patients, PBMs generally are vertically integrated organizations that simultaneously serve and regulate health plans and pharmacists and play other roles in the drug supply chain.

This vertical integration allows these six PBMs to wield enormous power and influence over health plans’ and patients’ access to drugs and the prices they pay, as well as pharmacies’ access to prescription drugs and the price and other terms under which pharmacies qualify for health plan coverage or payment for these medications.

PBMs also exert substantial influence over independent pharmacies by imposing contractual terms imposed by PBMs as a condition of accessing medications, covering the pharmacies under health plans contracted with the PBMs, or both.

Mergers and consolidations within the PBM, pharmacy and health benefit industries that brought ownership of the largest PBMs under common ownership with large insurers and retail pharmacies they purport to both manage and work has increased the already significant power of PBMs to use their integration to control these and other aspects of prescription drug availability, access, distribution, and pricing/ Consequently, the sixth largest PMBs -Caremark Rx, LLC; Express Scripts, Inc.; OptumRx, Inc.; Humana Pharmacy Solutions, Inc.; Prime Therapeutics LLC; and MedImpact Healthcare Systems, Inc. – now collectively negotiate and enforce access, coverage, pricing and other key terms and conditions governing the availability, access to, and cost of prescription drugs for hundreds of millions of Americans.

With the consolidation of ownership of large PBMs, payers and pharmacies further tightening these PBMs’ control over prescription drug distribution, pricing, and coverage and prescription drug costs continuing to rise, PBMs and their practices increasingly face scrutiny, challenges and calls for reform by employers and other plan sponsors, health care providers, independent pharmacies, the FTC and other regulators, Congress, state legislatures and regulators, consumers, and others. See Report on Pharmacy Benefit Managers: The Powerful Middlemen Inflating Drug Costs and Squeezing Main Street Pharmacies.

FTC July 2024 Interim Report On 6th Largest PBMS

In response to these and other growing concerns about consolidation, lack of transparency and other potential abuses about the PBM industry and prescription drug costs, the FTC began investigating the PBM industry in 2022.  In July 2024, the FTC released its Report on Pharmacy Benefit Managers: The Powerful Middlemen Inflating Drug Costs and Squeezing Main Street Pharmacies (the “FTC Report”) that reports the FTC’s interim findings from its ongoing study of the six largest PBMs – Caremark Rx, LLC; Express Scripts, Inc.; OptumRx, Inc.; Humana Pharmacy Solutions, Inc.; Prime Therapeutics LLC; and MedImpact Healthcare Systems, Inc. use their vertical integration and concentration to inflate drug costs, squeeze Main Street pharmacies and engage in other practices harmful to patients and independent pharmacies.

The FTC Report shares interim findings based on the FTC staff’s review of more than 1,200 public comments to identify predominant areas of concern, initial submissions of internal documents and data from PBM respondents and their affiliates, interviews of various industry experts and participants and review of other public data and information.  The FTC Report also discloses that certain PBMS have yet to produce the data and documents required in response to FTC orders issued more than two years ago. While stating its study continues and promising that the FTC will continue efforts to force the PBMs to produce the evidence demanded in the orders, the FTC Report also promises to share regular updates about its progress and findings.

While the investigation continues, the FTC Report shares the FTC’s interim findings that:

  • The market for pharmacy benefit management services has become highly concentrated, and the largest PBMs are now also vertically integrated with the nation’s largest health insurers and specialty and retail pharmacies;
  • As a result of this high degree of consolidation and vertical integration, the leading PBMs can now exercise significant power over Americans’ access to drugs and the prices they pay;
  • Vertically integrated PBMs may have the ability and incentive to prefer their own affiliated businesses, which in turn can disadvantage unaffiliated pharmacies and increase prescription drug costs;
  • Evidence suggests that increased concentration may give the leading PBMs the leverage to enter into complex and opaque contractual relationships that may disadvantage smaller, unaffiliated pharmacies and the patients they serve;
  • PBMs and brand drug manufacturers sometimes negotiate prescription drug rebates that are expressly conditioned on limiting access to potentially lower cost generic alternatives in exchange for higher rebates from the manufactures in a manner that may cut off patient access to lower-cost medicines and warrant further scrutiny by the Commission, policymakers, and industry stakeholders.

The FTC Report also shares the FTC’s concern that the six largest PBMs improperly use their integration and market control over 95 percent of all prescriptions filled in the United States:

  • To profit at the expense of patients and independent pharmacists;
  • To hike the cost of and overcharge for drugs
  • To squeeze independent pharmacies that many Americans—especially those in rural communities—depend on for essential care;
  • To wield enormous power over patients’ ability to access and afford their prescription drugs, allowing PBMs to significantly influence what drugs are available and at what price; and
  • To impose unfair, arbitrary, and harmful contractual terms that can impact independent pharmacies’ ability to stay in business and serve their communities.

The FTC Report concludes that PBMs’ have an “outsized influence” that comes not only from the expansion of their traditional, middlemen administrative services in processing patients’ pharmacy prescription claims but also from decades of consolidation and vertical integration across the healthcare delivery system where “the largest PBMs have come under common ownership with the largest, most dominant health insurers … [that] operate some of the largest retail, mail order, and specialty pharmacies in the country, which compete with local independent pharmacies. Given these relationships, PBMs and their affiliated entities may have the incentive and ability to engage in steering a growing share of prescription revenues to their own pharmacies through specialty drug classification, self-preferential pricing, and pharmacy contracting procedures to target and control the business operations of pharmacies. While the FTC Report principally focuses on the impact of these changing market dynamics on the operation and vitality of the nation’s pharmacies, the FTC Report also states that initial evidence about PBM and brand pharmaceutical rebating practices “urgently warrant further scrutiny and potential regulation.”

The FTC Report concludes that these interim findings underscore the importance and urgency of scrutinizing the role and influence of PBMs in the nation’s healthcare system, particularly as federal and state governments are the largest purchasers of healthcare.

Express Scripts Sues FTC Demanding Retraction Of FTC Report

Not surprisingly, the PBMs subject to the FTC Report generally have protested the reported findings. On September 17, 2024, CIGNA-owned Express Scripts sued the FTC, demanding the FTC retraction of the FTC Report. In the Express Scripts, Inc. v. FTC complaint, Express Scripts characterizes the FTC Report as “unfair, biased, erroneous, and defamatory.” In the Complaint, Express Scripts alleges:

“According to the Commission’s press release announcing the Report, the Report stems from special orders issued under Section 6(b) of the FTC Act to six PBMs, including Express Scripts, demanding data and information about the PBM industry. But the Report is not an analysis of the data and information produced by the PBMs. Instead, it is seventy-four pages of unsupported innuendo leveled against Express Scripts and other PBMs under a false and defamatory headline and accompanied by a false and defamatory press release. The Commission disregarded the millions of documents and terabytes of data produced and relied instead on unverified comments from the very companies that PBMs negotiate against in order to help lower drug costs. Not surprisingly, those entities are incentivized to point the finger at PBMs for allegedly driving drug costs up, when it is PBMs who are, in fact, bringing drug costs down.”

Charging that the FTC Report “followed prejudice and politics, not evidence or sound economics, and wrongly concluded that PBMs inflate drug costs and harm independent pharmacies” and harmed Express Scripts’ business and reputation by the FTC’s “unlawful, unconstitutional, and arbitrary and capricious conduct and defamatory statements,” the Complaint alleges that the FTC Report “gets nearly everything wrong” as a result of FTC Chair Khan’s and the FTC’s bias against PBMs and failure to consider the evidence before them. For example, the Complaint asserts:

“It falsely accuses Express Scripts and other PBMs of “controlling” access to drugs and drug pricing when it is manufacturers who set drug prices and plan sponsors who decide which drugs to cover for their members.

It attacks Express Scripts for disadvantaging independent pharmacies when the evidence produced shows that on average independent pharmacies not affiliated with PBMs receive higher reimbursements than unaffiliated chain pharmacies, independent pharmacies are profitable, and the number of prescriptions filled at independent pharmacies is increasing.

It falsely claims that Express Scripts is “profiting by inflating drug costs,” including by taking rebates from drug manufacturers in return for putting high cost drugs on formularies when, in truth, the bulk of rebates and fees received by PBMs get passed through to plan sponsors and lower the net cost of drugs to plan sponsors and members. Moreover, Express Scripts prefers drugs with the lowest net cost to its plan sponsors on its largest standard formularies.

It makes the broad-brush claim that the PBMs failed to comply with the Commission’s 2022 6(b) orders, which demanded extensive data and information for production—without identifying who the supposed offenders are—even while Express Scripts had long ago complied with the Commission’s requests, which

the Commission knew and verbally acknowledged before and after issuing its Report. It falsely states that PBMs, including Express Scripts, “profit at the expense of patients by inflating drug costs” when the evidence shows that PBMs compete for the business of plan sponsors by offering lower costs for covered drugs than their competitors. PBMs have low and declining operating margins and any PBM that sought to inflate the cost of covered drugs would quickly lose its clients.

Due to these alleged false conclusions, the Complaint charges that the FTC Report violates federal and state law several times over, including in at least the following ways:

  • By exhibiting bias against PBMs and prejudgment of the facts, the Report violates Express Scripts’ right to due process under the Fifth Amendment to the U.S. Constitution.
  • It contains (i) assertions that will predictably be and have been interpreted as conclusions adverse to all PBMs and (ii) false statements unsupported by the record that demonstrate the Commission’s failure to consider the available contrary evidence and render its decision arbitrary and capricious.
  • It is not in the public interest and therefore exceeds the Commission’s statutory authority under Section 6(f) of the FTC Act.
  • It is unlawful because Commissioners exercise executive authority while enjoying statutory removal protections in violation of Article II of the U.S. Constitution.
  • And the Commission’s claim both in the Report and the accompanying press release that PBMs, including Express Scripts, are “inflating drug costs” and “profit by inflating drug costs at the expense of patients,” is false and defamatory.

Claiming that Express Scripts has suffered and continues to financial, business and reputational harm by the FTC Report’s allegedly false statements about its business practices and the insinuation that Express Scripts’ successful efforts to fight for lower prices for plan including being sued in multiple lawsuits invoking the FTC Report as evidentiary support for plaintiffs’ claims and faces multiple demands for information from state regulators and federal legislative committees. Contending these harms “have only just begun and will only be compounded over time,” Express Scripts asks the District Court:

  • To vacate and require the FTC to set aside the FTC Report;
  • Make the FTC correct the false statements it has made about PBMs; and
  • Require the recusal of FTC Chair Khan from further FTC proceedings regarding Express Scripts in light of her evident bias against PBMs, including Express Scripts.

Regardless of how the Express Scripts lawsuit plays out, employers and other health plan sponsors, fiduciaries, third party administrators, insurers, pharmacies, health care providers and individual Americans can expect to see continued challenges and attempts to reform PBMs to address perceived abuses. The direction and specifics of those challenges and changes remain unclear. Since political pressure is likely to significantly influence the ultimate outcome of any reforms, concerned individuals and organizations should carefully monitor and provide input.

Meanwhile, employer and other health plan sponsors and fiduciaries should also anticipate that the FTC Report and similar Congressional and other studies and investigations may increasingly fuel and provide evidence to support participants’ and beneficiaries’ questions and challenges to PBM features and practices within their health plans.

More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation.

Author of numerous highly regarded works on PBM and other health plan contracting and design,  Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services, data and technology and many other other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

She also has extensive experience helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of publications on “Transparent PBM Contracting,” “ACOs, Direct Contracting: Legal & Practical Challenges For Employers, Providers & TPAs,” “The Medicare Advantage Contracting Manual,” “Third Party Administrator (TPA) Contracting Principles and Strategies and a multitude of other highly regarded publications and presentations,  Stamer is widely recognized for her thought leadership on PBM and other managed care and health plan contracting and design, and a multitude of other health care, health plan and other health industry matters.  In addition, Ms. Stamer contributes her time and leadership to numerous policy, professional, civil and other organizations including service as the, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on PBM Lawsuit Against FTC Signals Growing Battle To Rein In PBMs | Corporate Compliance | Tagged: , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

10/28 Deadline To Use Updated USCIS Forms

August 28, 2024

Check your U.S. Citizenship and Immigration Service (“USCIS”) forms and documentation. Following up on form updates previous announced earlier this year, USCIS released updated versions of following USCIS forms on August 28, 2024:

Individuals and businesses using these or other USCIS forms should ensure that they are using the most current form. Except for the Form I-914, which must be used beginning August 28, 2024, USCIS will allow use of either the August 28, 2024 updated form or its predecessor form until October 28, 2024. Beginning October 28, 2024, use of the August 28, 2024 edition becomes mandatory.

Employers and other users of USCIS forms are reminded that USCIS has issued other form updates earlier this year that impact employment and other immigration documentation. business and individuals affected by USCIS documentation should confirm that all of their forms are up-to-date.

If you have questions about the proper USICS forms or documents to use or other workforce, compensation, employee benefits, or related concerns, contact the author.

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of employment, employee benefits and other workforce, immigration, health care, insurance and financial services, technology and other performance, compliance, risk management and mitigation, incident and other investigations, regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for government contractors and other public and private businesses; managed care and other health and life science, insurance, technology, and other performance and data dependent organizations,

A Fellow in the American College of Employee Benefit Counsel, Immediate Past Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Co-Chair of its International Employment Law Committee, and its Health Care Liaison; Immediate Past Chair of the ABA TIPS Section Medicine & Law Committee; Past Chair of the ABA Managed Care & Insurance Interest Group; Former Chair of the ABA RPTE Employee Benefits & Other Compensation Group and Chair or Co-Chair of its Welfare Benefit Committee for more than 10 years , and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

As part of this work, she regularly conducts, compliance and risk management, audits, investigations, and training on Form I-9 and other foreign worker, wage and hour, affirmative action and other federal and states Civil Rights, and other employment, employee benefits, regulatory, and other practices.

Author of a multitude of highly regarded publications, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending USCIS, EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination, Federal Sentencing Guidelines and other compliance, investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on 10/28 Deadline To Use Updated USCIS Forms | citizenship, Corporate Compliance, E-Verify, employee, Employer, Employers, national origin | Permalink
Posted by Cynthia Marcotte Stamer

Tighter FTC Breach Notification Rules Now Effective Non-HIPAA Covered Handlers Of Health Information While HIPAA Covered Entities Face Continuing Duties Under HIPAA

August 8, 2024

Health and fitness mobile application developers and other businesses that collect or handle electronic or other health care information that are not subject to the by the Health Insurance Portability and Accountability Act (“HIPAA”) should evaluate their responsibility to comply with the personal health record (“PHR”) breach notification requirements of the recently amended Federal Trade Commission (“FTC”) Health Breach Notification Final Rule (the “HBN Rule”) and if subject to the HBN, ensure their compliance taking into account amendments to the HBN Rule that took effect on July 29, 2024. 

The HIPAA Breach Notification Rule imposes specific requirements on health care providers, health plans, health care clearinghouses and their business associates (“HIPAA Entities”) to protect individually identifiable health information (“PHI”) against improper use, access, disclosure or destruction and to provide breach notification to individuals, the Department of Health and Human Services Office of Civil Rights (“OCR”) and the media if a breach of unsecured electronic protected information happens.

To provide for notifications of breaches of electronically identifiable health information not covered by HIPAA, the HBN Rule generally requires each vendor of PHRs covered by its rules (“PHR Vendors”) and related entity that discovers a breach of security of unsecured personally identifiable health information (“UPHI”) in a PHR it maintains or provides to notify:

  • Each individual who is a citizen or resident of the United States whose unsecured UPHI was acquired by an unauthorized person as a result of the security breach
  • The Federal Trade Commission; and
  • If the breach involved UPHI of 500 or more residents of such State or jurisdiction is, or is reasonably believed to have been, acquired during such breach, prominent media outlets serving a State or jurisdiction,

Applicability To HBN Rule

Amendments to the HBN Rule that took effect on July 29, 2024, clarify that the HBN Rule breach notification requirements apply more broadly than many parties dealing with PHR and PHR technologies previously understood as well as other requirements of the HBN Rule.  The FTC revised several definitions in the HBN Rule to clarify that it applies health apps and similar technologies not covered by HIPAA by modifying the definition of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies.” It also revised the definition of “PHR related entity” to make clear that 1) the HBN Rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records and 2) only entities that access or send UPHR to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;

These changes clarify that the HBN breach notification requirements generally apply to p Providers and developers of websites, mobile applications, or internet-connected devices that provide mechanisms to track diseases, health conditions, diagnoses or diagnostic testing, treatment, medications, vital signs, symptoms, bodily functions, fitness, fertility, sexual health, sleep, mental health, genetic information, or diet, or that provides other health-related services or tools and other similar technologies that provide healthcare services and supplies, and related technologies not covered.

Other Changes & Clarifications To HBN Rule

  • Breach Of Security: The Final Rule clarifies that a “breach of security” includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
  • Clarifying Multiple Sources Of PHR Identifiable Health Information: The FTC clarified what it means for a personal health record to draw PHR identifiable health information from multiple sources;
  • Electronic Notification: The FT expanded the allowable use of email and other electronic means of providing clear and effective notice to consumers of a breach;
  • Expanding Required Consumer Notice Content:  The amendments to the HBN Rule expand the required content that notifications of breaches must include. For example, the notice would be required to include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security;
  • Changing Notification Timing: The amendment to the HBN Rule changes the deadline for providing breach notification to the FTC under the rule. For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security; and
  • Improving readability: The amendments to the HBN Rule also include changes to improve the rule’s readability and promote compliance.

HIPAA-Covered Breaches

HIPAA Entities are reminded that in addition to its broadly applicable Privacy, Security and Breach Notification Rules, OCR also has promulgated specific guidance about mobile application and related technology. This mobile application guidance, among other things, include risk analysis, configuration to reduce risks, and workforce training on appropriate use when HIPAA Entities use mobile application technologies.

Additionally OCR also has adopted specific requirements on the Use of Online Tracking Technologies by HIPAA Entities to collect and analyze information about how users interact with regulated entities’ websites or mobile applications. While the U.S. District Court for the Northern District of Texas ruled Am. Hosp. Ass’n v. Becerra, — F. Supp. 3d —-, No. 4:23-cv-1110, 2024 WL 3075865 (N.D. Tex. June 20, 2024) ruled unlawful and invalidated the portion of this rule that provides that HIPAA obligations are triggered in “circumstances where an online technology connects (1) an individual’s IP address with (2) a visit to a[n] [unauthenticated public webpage] addressing specific health conditions or healthcare providers.” the remainder of that rule remains effective. HIPAA-Entities should ensure compliance with both of these rules as well as all other applicable HIPAA Breach and other rules.

To aid in this process, OCR has published various tools and resources on building privacy and security protections into mobile application technologies including the following:

  • Mobile Health Apps Interactive Tool – The Federal Trade Commission (FTC), in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA), have updated the popular Mobile Health Apps Interactive Tool. This tool is designed to help developers of health-related mobile apps, including HIPAA-regulated entities, understand what federal laws and regulations might apply to them. The guidance tool asks developers a series of questions about the nature of their app, including about its function, the data it collects, and the services it provides to users. Based on a developer’s answers to those questions, the guidance tool points the app developer toward detailed information about certain federal laws that might apply. These include the FTC Act, the FTC’s Health Breach Notification Rule, the Health Insurance Portability and Accountability Act (HIPAA) Rules, and the Federal Food, Drug and Cosmetics Act (FD&C Act), Children’s Online Privacy Protection Rule (COPPA), and 21st Century Cures Act and ONC Information Blocking Regulations.
  • Health App Use Scenarios & HIPAA – PDF – This guidance details various use scenarios for mHealth applications, and explains when an app developer may be acting as a business associate under the HIPAA Rules.
  • Access Right, Apps, and APIs – View frequently asked questions about how the HIPAA Rules apply to covered entities and their business associates with respect to the right of access, apps, and application programming interface (APIs).
  • Health Information Technology – View frequently asked questions on HIPAA and health IT.
  • Guidance on HIPAA & Cloud Computing – OCR developed guidance to assist HIPAA covered entities and business associates, including cloud services providers (CSPs), in understanding how they can use cloud computing technologies while complying with their HIPAA obligations.

These resources can be helpful for both HIPAA-Entities to comply with HIPAA and non-HIPAA covered entities to comply and manage risks under the HBR Rule.

In the face of these and other Federal and state law rules, all parties dealing with electronic health information should confirm their status under the FTC and OCR Rules and take documented steps to verify, monitor and maintain their compliance with breach notification and other requirements.

About the Author 

Scribe responsible for planning and leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with HHS-OCR for more than a decade and author of many highly regarded publications on HIPAA and other privacy and data security, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of HIPAA and other cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations, regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for government contractors and other public and private businesses; managed care and other health and life science, insurance, technology, and other performance and data dependent organizations,

A Fellow in the American College of Employee Benefit Counsel, Immediate Past Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Co-Chair of its International Employment Law Committee, and its Health Care Liaison; Immediate Past Chair of the ABA TIPS Section Medicine & Law Committee; Past Chair of the ABA Managed Care & Insurance Interest Group; Former Chair of the ABA RPTE Employee Benefits & Other Compensation Group and Chair or Co-Chair of its Welfare Benefit Committee for more than 10 years , and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Tighter FTC Breach Notification Rules Now Effective Non-HIPAA Covered Handlers Of Health Information While HIPAA Covered Entities Face Continuing Duties Under HIPAA | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Large Penalties Warn Health Plans & Other HIPAA-Entities Ensure Timely Response To HIPAA & Record Requests & Other Record & Information Disclosure Rules

August 5, 2024

The more than $560,000 in civil monetary penalties (“CMPs”) collected since March by the Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) from three HIPAA-covered entities for failing to respond to medical record requests within 30 days as required by the Health Insurance Portability & Accountability Act (“HIPAA”) right of access rule (“Access Rule”) shows patients, their personal representatives and health care providers, health plans, health care clearinghouses (“Covered Entities”) the seriousness of OCR’s commitment to enforcement of the Access Rule.

On August 2, 2024, OCR announced emergency medical provider American Medical Response (“AMR”) paid a $115,200 civil monetary penalty (“AMR CMP”) for waiting 370 days before delivering medical records requested by a patient’s personal representative.  OCR’s AMR CMP announcement follows its April 1, 2024 announcement Hackensack Meridian Health, West Caldwell Care Center (“Hackensack Meridian Health”) paid a $100,000 CMP (“HMH CMP”) for waiting 161 days to provide medical records requested by a patient’s personal representative and March 29, 2024 announcement of its agreement to accept payment of $35,000 in satisfaction the previously assessed $250,000 CMP against Phoenix Healthcare LLC d/b/a Green County Care Center (“Phoenix”) for Access Rule violations.  With these three actions, OCR collected $565,000 in CMPs for Access Rule violations since March 29, 2024, and has announced a total of 49 high-dollar Access Rule CMP or settlement collections since announcing its Access Rule enforcement initiative in 2019.

OCR’s pursuit of CMPs in excess of $100,000 against each of these three entities for failing to respond to a single request for patient records makes clear OCR’s readiness to investigate and pursue big dollar penalties against Covered Entities for even a single failure to deliver documents to a requesting patient or personal representative. With these HIPAA penalties in addition to the up to the $190 per day per request Labor Department administrative penalty, and discretionary award up to $100 per day plus attorneys’ fee and court cost courts can award suing participants or beneficiaries wrongfully denied timely access to plan information or documents under the Employee Retirement Income Security Act (“ERISA”) health plans, their plan administrators, insurers and fiduciaries should take care to ensure their health plans and their administrators and vendors timely respond to all medical record and otehr requests.

HIPAA Right Of Access Rule

HIPAA’s Privacy Rule right of access (“Access Rule”) is part of the national standards that HIPAA Privacy, Security, and Breach Notification Rules (“Privacy Rule”) require that Covered Entities and their business associates meet for protecting to protect individuals’ protected health information (“PHI”), limit uses and disclosures of PHI, and give individuals the right to timely access and to obtain a copy of their PHI records and certain other rights.  Like other Privacy Rule violations, Access Rule violations can subject a Covered Entity or business associate to expensive HIPAA civil monetary penalties (“CMPs”).

The Access Rule codified in 45 C.F.R. 164.524 generally requires that a Covered Entity to respond to a request from an individual or its personal representative to access or for a copy of protected health information (“PHI”) in any records set of a Covered Entity or its business associate within 30 days of receipt of the individual’s request.  OCR Access Rule guidance makes clear OCR views this deadline as the maximum allowed period

The Covered Entity can respond to a right of access request by granting or denying the request in whole or in part, or if it is unable to provide the records within 30 days for a legitimate reason, the Access Rule allows the Covered Entity a one-time 30-day extension of the response timeframe by sending the requestor a written statement of the reasons for the delay and the date within the extended response deadline by which the Covered Entity will complete its action on the request. 45 C.F.R. § 164.524(b)(2).

The Access Rule also contains specific guidance governing the calculation of the allowable fee, if any, the Covered Entity can charge for providing the PHI to a reasonable cost-based fee calculated following the Access Rule.  It also sets forth other requirements about the manner and format in which the Covered Entity must deliver the PHI.

OCR is responsible for implementing the Privacy Rules and enforcing non-criminal violations of its requirements.  When OCR finds violations of the Access Rule or other HIPAA violations, HIPAA as amended by the HITECH Act,1 generally authorizes OCR to impose and collect a CMP determined based on the following penalty schedule, with adjustments for inflation:

  • A minimum of $100 for each violation where the Covered Entity or business associate did not know and, by exercising reasonable diligence, would not have known that it violated the HIPAA provision, provided the total amount of CMPs imposed on the Covered Entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
  • A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the Covered Entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000.
  • A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
  • A minimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

As required by law, OCR has adjusted the CMP ranges for each penalty tier for inflation.3 The adjusted amounts apply only to CMPs whose violations occurred after November 2, 2015.

$115,200 AMR CMP

According to the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) August 1, 2024 announcement of the AMR CMP, AMR paid OCR the $115,200 AMR CMP after OCR assessed the CMP in a Notice of Final Determination that AMR violated the Access Rule.

The Notice of Final Determination arose from an OCR investigation of a complaint made by an attorney (“the Patient’s Attorney”) on behalf of a patient transported by AMR alleging that AMR failed to provide a patient with timely access to its medical records after many failed attempts by the patient to obtain the records.

According to the Proposed Notice of Determination, the Patient’s Attorney sent AMR a fax on the patient’s behalf on October 31. 2018 asking for copies of a patient’s medical records including, “all billing records pertaining to treatment rendered for 9/15/2015 injury date; Patient Balance Verification; all medical records pertaining to treatment rendered for 9/15/2015 injury date” in electronic format to the patient’s attorney (“access request”). The access request was in writing, signed by the Patient’s Attorney, that clearly identified the Patient’s Attorney and where to send the copy of the Patient’s Attorney’s PHI. The Patient’s Attorney received a fax transmission report reflecting that AMR received her request on October 31, 2018. Although AMR uses an electronic health record (EHR) for its medical records and maintains the Patient’s Attorney’s requested PHI in its HER, it did not respond to this request by November 30, 2018, the date 30 days from receipt.

On November 8, 2018, the Patient’s Attorney also mailed a copy of her October 31, 2018, access request to AMR’s Seattle, Washington office via certified mail and received confirmation of delivery on November 13, 2018 from the United States Postal Service. The Patient’s Attorney also subsequently sent two follow-up requests for the PHI records on January 24, 2019.

Although AMR’s electronic medical record confirmed AMR received these requests, AMR did not respond to the Patient’s Attorney’s request until March 1, 2019, 121 days after the initial request, when AMR sent the Patient’s Attorney an invoice requiring payment of an access fee before AMR would provide the requested records to Complainant.

On March 18, 2019, the Patient’s Attorney then sent AMR another follow-up letter that reiterated the Patient’s Attorney’s multiple access requests and advised AMR that if AMR did not send the PHI to the Patient’s Attorney electronically within seven days the Patient’s Attorney would file a complaint with OCR.  Since AMR failed to deliver the requested records in electronic format within the specified period, the Patient’s Attorney filed a complaint with OCR on July 29, 2019, alleging that AMR violated the Access Rule by failing to provide a copy of the patient’s PHI in response to the Patient’s Attorney’s multiple access requests.

OCR’s October, 2019 investigation found AMR repeatedly failed to timely respond to the patient’s access request even though AMR had procedures in place for processing individuals’ written access requests.

In response to OCR’s investigation, AMR sent the requested records to the Patient’s Attorney on November 5, 2019, 370 days after the Patient’s Attorney’s initial request.

In response to OCR’s investigation, AMR also amended its internal procedures to streamline and better track access requests. OCR notified AMR of the results of OCR’s investigation on August 3, 2021, and offered AMR an opportunity to resolve the matter informally.  Rather than accepting this offer, however, AMR responded to OCR through counsel on August 9, 2021, asking OCR to “reconsider its position” without providing a counteroffer or otherwise engaging in negotiations with OCR. While OCR did not disclose the terms of its proposed offer of resolution, acceptance of this offer presumably would have allowed AMR to resolve the charges for an amount less than the $115,200 CMP ultimately imposed.

OCR then sent an April 15, 2022 Letter of Opportunity (LOO) to AMR, which informed AMR that OCR’s investigation indicated that AMR violated HIPAA’s Access Rule and providing AMR with an opportunity to submit written evidence of mitigating factors and affirmative defenses to this violation as well as evidence to support a waiver of a CMP for violating the Access Rule.  OCR determined AMR’s May 16, 2022 response to the LOO did not support any affirmative defense to the charges or grounds for waiver of the CMP but weighed AMR’s LOO response alleging mitigating factors in determining the amount of the CMP.

Based on these factual findings, OCR sent AMER a Notice of Proposed Determination that announced OCR’s intent to impose the $155,200 AMR CMP for its violation of the Access Rule by failing to provide timely access to the Patient’s Attorney after receiving her lawful requests.

Finding the Reasonable Cause penalty tier applicable for purposes of determining the CMP for  AMR’s Access Rule violation from December 1, 2018, to February 28, 2019, OCR calculated the AMR CMP as follows: $39,680 CMP Calendar Year 2018 (31 days from 12/1/18-12/31/18 at $1,280 per day); plus           $75.520 CMP Calendar Year 2019 (59 days from 1/1/19 to 2//19, at $1,280 per day) = $115,200 Total CMP

While AMR argued that OCR should exercise its discretion and choose not to apply any CMPs because of “multiple mitigating factors, OCR determined AMR’s arguments factually inaccurate and not meriting change of the CMP assessment from the reasonable cause level. Accordingly, OCR refused to reduce the original $115,200 based on alleged mitigating factors. 

After AMR did not challenge the determinations of OCR in the Notice of Proposed Determination within the allowed period, OCR issued the Final Notice of Determination imposing the $115,200 AMR CMP and AMR paid that amount.

Since as early as 2016, OCR has made Access Rule enforcement a priority.  Along with its assessment of the AMR CMP, OCR’s commitment to continued Access Rule enforcement is demonstrated by the 48 other previously announced Access Rule enforcement actions through July 31, 2024. 

$100,000 Hackensack Meridian Health CMP

Before it collected the AMR CMP, on April 1, 2024, OCR already had announced its collection of a $100,000 CMP from a New Jersey skilled nursing facility for violating the Access Rule in April.

Essex Residential Care, LLC, doing business as Hackensack Meridian Health, West Caldwell Care Center (“HMH”) is a skilled nursing facility that provides long-term care and rehabilitation services.

In May 2020, OCR received a complaint alleging that HMH failed to provide a personal representative with access to his mother’s medical records even after HMH received sufficient documentation that the patient’s son who requested the records as his mother’s personal representative.

OCR found that HMH failed to respond timely to a HIPAA right of access request. In September 2023, OCR issued a Notice of Proposed Determination (“HMHPD”) seeking to impose the $100,000 civil money penalty. When HMH waived its right to a hearing and did not contest OCR’s findings, OCR finalized the Notice of Final  Determination imposing the $100,000 CMP.

The OCR investigation found that when Peter Lindsay originally requested copies of the medical records of his mother, Lois Lindsey (“mother”) from WCCC in an April 19, 2020 email, WCCC responded with an April 22, 2020 e-mail denial that requested Mr. Lindsay provide WCCC a copy of a power of attorney, medical proxy or similar document executed by the mother establishing that he was his mother’s personal representative. However, when WCCC still failed to deliver the requested medical records after Mr. Lindsey sent a copy of his mother’s power of attorney via May 23, 2020 e-mail, Mr. Lindsey complained to OCR.

After OCR notified WCCC on October 15, 2020, its investigation of the complaint, WCCC acknowledged that it failed to respond to the complainant’s request for his mother’s medical records within 30 days of receiving the complainant’s written request for the records but still did not deliver the records until December 1, 2020, 161 days after the complainant’s request.

By letter dated March 25, 2022, OCR informed WCCC its investigation found that WCCC failed to provide timely access to protected health information and offered WCCC an opportunity to settle this matter informally.  Although OCR’s letter encouraged WCCC to contact OCR no later than ten days after receipt of the letter, OCR received no response until WCCC responded via e-mail through its attorney on April 29, 2022, that WCCC disagreed with OCR’s proposed resolution, OCR received an email correspondence from the WCCC’s attorney stating WCCC’s disagreement with OCR’s proposed resolution.  OCR then responded by issuing a May 16, 2022 Letter of Opportunity (LOO) informing WCCC that OCR found preliminary indications of non-compliance and providing WCCC with an opportunity to submit written evidence of mitigating factors, affirmative defenses, or waiver factors for OCR’s consideration in determining the CMP amount.

In the June 15, 2022 response to the LOO sent by WCCC’s attorney, WCCC acknowledged receipt of both the April 19, 2020, medical record request and the power of attorney emailed on April 23, 2020.  WCCC also admitted that instead of providing Mr. Lindsay with the requested medical record, WCCC instead sent a copy of the mother’s medical records to another facility to which Ms. Lindsay was transferred. WCCC’s attorney admitted WCCC should have handled the request differently but indicated at the time of the original request, both Mr. Lindsey and his mother were parties to ongoing litigation with WCCC over non-payment for care, that WCCC also was struggling with the COVID-19 pandemic, that Mr. Lindsey filed his complaint with OCR exactly 30 days after his e-mailed request before WCCC’s response to the initial request was due and asserted several affirmative defenses it claimed excused WCCC’s failure to provide the medical documents. 

Based on the above findings of fact, OCR calculated the WCCC CMP at the reasonable cause not corrected tier for WCCC’s failure to provide the requested medical records from June 23, 2020, to December 1, 2020.

WCCC also asserted various affirmative defenses and a right of waiver to avoid or mitigate the amount of the WCCC CMP, all of which OCR found unpersuasive.

  • Regarding WCCC’s assertion that HIPAA barred imposition of a CMP in this case, as a matter of law, under the HIPAA affirmative defense for a violation not due to willful neglect and timely corrected, OCR determined that the affirmative defense did not apply as WCCC did not timely correct the violation.  
  • OCR also rejected WCCC’s assertion that imposition of a CMP under these circumstances would be arbitrary and capricious and violate the Administrative Procedure Act (the Patient’s AttorneyA). 
  • OCR likewise found rejected WCCC’s claim that OCR should waive any possible CMP because assessment of the CMP would be excessive as WCCC only failed to timely respond to a single request for records access, submitted amidine the midst of litigation with the requesting party during the COVID-19 pandemic and WCCC’s personnel mistakenly believed that an appropriate, timely response to the complainant’s medical record request had been made through the transfer of the patient to another facility.

After WCCC waived its right to challenge these OCR determinations in an administrative hearing, OCR issued the Notice of Final Determination on January 12, 2024, which OCR publicly announced  on April 1, 2024.

Phoenix CMP Settlement

OCR’s WCCC CMP announcement came only three days after OCR announced a settlement with Phoenix under which OCR accepted and collected $35,000.00 (“Settlement Amount”) from Phoenix in full satisfaction of a $250,000 CMP under a March 30, 2021 Notice of Final Determination issued against Phoenix for willful violation of the Access Rule. 

The Phoenix CMP and resulting settlement arose from OCR’s investigation of a right of access complaint filed against the Oklahoma multi-facility nursing care organization by a patient’s daughter in April 2019 that Phoenix would not provide the daughter, who serves as a personal representative, with a copy of her mother’s medical records. After Phoenix eventually sent the requested records 323 days after the request on January 30, 2020 and only after OCR attempts to get the records through technical assistance and other efforts, OCR notified Phoenix of its intention to impose a $250,000 civil money penalty (“Phoenix CMP”) against Phoenix for willful violation of the Access Rule along with violations of HIPAA’s business associate requirements. 

Rather than accede to OCR’s proposed imposition of the $250,000 Phoenix CMP, however, Phoenix chose to challenge the proposed Phoenix CMP to an administrative law judge (“ALJ”) in the Civil Remedies Division of the Departmental Appeals Board (“DAB”) of HHS. In Decision No. CR6232, the ALJ on February 16, 2023, upheld the Access Rule violations cited by OCR and OCR’s determinations that Phoenix acted with willful neglect in committing the violations, but reduced the Phoenix CMP amount from the $250,000 proposed by OCR to $75,000.

Despite the ALJ’s reduction of the Phoenix CMP, Phoenix then unsuccessfully challenged the ALJ’s determinations. On August 4, 2023, the HHS Departmental Appeals Board upheld the ALJ’s decision to uphold OCR’s determinations that Phoenix acted with willful neglect in violating the Access Rule and imposition of the reduced $75,000 CMP.

When Phoenix threatened to appeal this determination in federal court and presented evidence of “financial hardship, however, OCR agreed “as a compromise based on the unique facts and circumstances of this matter,” to accept in full satisfaction of the $75,000 CMP assessed due and owing by Phoenix under ALJ Decision affirmed by DAB Decision No. 3105 and DAB Decisions  No. CR6232 in return for Phoenix’s payment of the $35,000 Settlement Amount and Phoenix’s agreement not to further challenge OCR’s assessment and to revise its HIPAA Policies and Procedures to address the Access Rule and business associate agreement requirements, training, and other compliance.

Right Of Access Enforcement Takeaways

OCR’s pursuit of CMPs for Access Rule violations against AMR, WCCC and Phoenix, along with the 46 Access Rule settlements announced by OCR before the Phoenix Settlement makes clear OCR takes seriously and stands prepared to assess substantial CMPs against Covered Entities that violate the Access Rule.  

Like the 46 Access Rule settlements OCR previously announced, the circumstances surrounding the assessment of the AMR CMP and other Access Right Enforcement actions contain several important lessons for Covered Entities and business associates including:

  • Ensuring Covered Entities appropriately track and timely respond to access requests is critical;
  • Failing to provide timely response to even a single access request can trigger a significant CMP;
  • The existence or expectation of a lawsuit or other dispute with the patient or patient’s personal representative does not justify delay or refusal timely to provide requested medical records within 30 days;
  • While Covered Entities and business associates have a duty to verify a family member, attorney or other party requesting medical records on behalf of a patient is the personal representative, a Covered Entity is responsible for verifying this and delivering the requested medical records promptly following receipt of a request;
  • If a Covered Entity or business associate intends to charge to provide requested medical records in response to an access request, ensure that the proposed charge is calculated following the Access Rule, notification is delivered within 30 days of the original request and deliver the medical records promptly after the payment is received;
  • Providing requested medical records to another health care provider or other party does not excuse or substitute for providing the medical records to the requesting patient or personal representative;
  • A Covered Entity that fails to meet the 30-day deadline for responding to an access request should fix the problem promptly by delivering the documents as soon as possible and taking documented corrective action to prevent future noncompliance;
  • A Covered Entity or business associate that already has not responded within 30 days of receipt of an access request should not withhold delivery of the requested PHI pending the requestor’s payment of the minimal allowed charge that it could have imposed had it timely responded to the access request within 30 days; and
  • Consider carefully before declining an offer from OCR to settle through informal resolution.

Covered Entities and business associates also should keep in mind other potentially applicable legal or ethical requirements to provide medical records.  For instance, the Employee Retirement Income Security Act (“ERISA”), state insurance rules and other federal or state laws also may require health plans and their insurers, administrators and others with timely access to medical or other records that also are protected heath information under HIPAA.  Under Section 502 (c) of ERISA, for instance, health plan administrators that fail to provide requested documents and information can become liable for Labor Department penalties of up to $190 per day not to exceed $1,906 per request, discretionary court awards of penalties of up to $100 per day plus attorneys’ fee and court cost to participants or beneficiaries wrongfully denied timely access or both. Covered Entities and business associates should ensure that all applicable deadlines are met and that any charges imposed satisfy all applicable requirements.

Covered Entities and business associates also should keep in mind that the Access Rule is only one of several areas of HIPAA enforcement prioritized by OCR that can trigger costly CMPs. Since HIPAA took effect in April 2003 through April 2024, OCR has:

  • Received and resolved 99 percent of the more than 358,975 HIPAA complaints and the more than 1,188 OCR-initiated compliance reviews;
  • Required changes in privacy practices and corrective actions in more than 30,839 cases investigated;
  • Settled or imposed a civil money penalty in 145 cases resulting in a total dollar amount of $142,663,772.00; and
  • OCR referred 2,197 to the Department of Justice (DOJ) for criminal investigation of cases involving the knowing disclosure or obtaining of protected health information in violation of HIPAA.

The compliance issues most often alleged in complaints cumulatively, in order of frequency through April, 2024 have remained consistent across the 20 years since HIPAA became effective.  They include cumulative in order of frequency:

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Lack of administrative safeguards of electronic protected health information; and
  • Use or disclosure of more than the minimum necessary protected health information.

While health care providers are the type of Covered Entity most often subjected to enforcement, OCR data confirms OCR investigations and enforcement has impacted all types of Covered Entities and business associates.  According to this data, the categories of Covered Entities OCR investigations have found to have committed violations are, in order of frequency:

  • General Hospitals;
  • Private Practices and Physicians;
  • Pharmacies;
  • Outpatient Facilities; and
  • Group Health Plans.

Additionally, while Group Health Plans as a group have the fewest compliance violations to date, OCR enforcement data confirms OCR’s investigation and enforcement of Access Rule violations against Group Health Plans, as well as that Group Health Plans and their business associates historically account for violations of the HIPAA security rules for the protection of electronic health information affecting millions of Americans. With OCR’s even further heightening its prioritization of HIPAA’s security rule oversight and enforcement in response to massive breaches of electronic protected health information systems and data that triggered widespread disruptions of care and payment systems reported by UnitedHealthcare Group’s Change Health, Ascension Health, and others, and recent OCR guidance requiring to update their Notices of Privacy Practices, all Covered Entities and their business associates should ensure seize the opportunity to re-verify the defensibility of their organization’s Access Rule, Security Rule and other HIPAA compliance.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters,  contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

About the Author 

Scribe responsible for planning and leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with HHS-OCR for more than a decade and author of many highly regarded publications on HIPAA and other privacy and data security, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of HIPAA and other cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations, regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for government contractors and other public and private businesses; managed care and other health and life science, insurance, technology, and other performance and data dependent organizations,

A Fellow in the American College of Employee Benefit Counsel, Immediate Past Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Co-Chair of its International Employment Law Committee, and its Health Care Liaison; Immediate Past Chair of the ABA TIPS Section Medicine & Law Committee; Past Chair of the ABA Managed Care & Insurance Interest Group; Former Chair of the ABA RPTE Employee Benefits & Other Compensation Group and Chair or Co-Chair of its Welfare Benefit Committee for more than 10 years , and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Large Penalties Warn Health Plans & Other HIPAA-Entities Ensure Timely Response To HIPAA & Record Requests & Other Record & Information Disclosure Rules | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

Beryl-Related Texas Court Deadline Relief Announced

July 15, 2024

The Supreme Court of Texas has issued an emergency order authorizing the modification of deadlines in certain justice courts affected by Hurricane Beryl.

The order states that upon request by local judicial leaders and pursuant to Section 22.0035(b) of the Texas Government Code, justice courts in Fort Bend, Galveston, Harris, Matagorda, and Montgomery counties that have been prevented from complying with a deadline in a civil case because the court’s normal operations have been disrupted by the disaster may:

  • Consider the disaster as good cause under Texas Rule of Civil Procedure 500.5 for extending a time period in the Texas Rules of Civil Procedure or local rules, including appeal and new trial deadlines, until July 26, 2024; and
  • Postpone statutory deadlines until July 26, 2024, if the court finds that the postponement is necessary to facilitate the orderly resumption of the court’s normal operations.

Read the complete order here.

For More Information

We hope this update is helpful. For more information or help about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations, regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for insurance, financial services, employee benefits, managed care and other health and life science, technology, government entities and contractors and other public and private businesses. As part of this work, she has extensively worked, spoken and published on the defensible design, use and management of artificial intelligence and other systems and processes throughout her career.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Beryl-Related Texas Court Deadline Relief Announced | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

FINRA Warns Brokers, Financial Advisors To Manage Compliance Risks Of AI

July 1, 2024

Brokers, financial advisors and others in the financial industry subject to regulation by the Financial Industry Regulatory Authority (“FINRA”) to document their careful selection and management of any machine learning, deep learning, neural networks, large language model (“LLM”) and other natural language processing (“NLP”), and other generative artificial intelligence tools (“Gen AI”) in their businesses with all relevant FINRA, securities and other laws and regulations.

Gen AI Tool Use Benefits & Risks

As FINRA’s 2024 Annual Regulatory Oversight Report notes, brokers, financial advisors and their organization increasingly are using Gen AI and other similar tools for a wide range of marketing and other operational purposes.

Gen AI technology presents both promising opportunities for investors and member firms and some attendant risks.3 Among other things, properly used Gen AI tools may:

  • Analyze and synthesize vast sets of financial and market data, summarize large and complex documents, and power educational resources that may help investors at all experience levels understand and navigate markets more effectively;
  • Allow an associated person to, for example, easily locate and query a member firm’s policies and procedures or forms, to generate summaries derived from the member firm’s research reports, or to obtain issuer-specific information by drawing on SEC filings and earnings call transcripts.
  • Allow member firms to leverage Gen AI tools to aid in surveillance by, for example, generating reports with summaries for the member firm’s (human) compliance personnel of potential evidence of malfeasance, such as market abuse or insider trading.
  •  

Along with these potentially promising benefits, Gen AI also can create added concerns about accuracy, privacy, bias, intellectual property,         possible exploitation by threat actors, and other risks.

FINRA Warning To Monitor Regulatory Compliance When Using Gen AI Tools

FINRA Regulatory Notice 24-09 published June 27, 2024, warns FINRA members to use care to ensure continued compliance with FINRA and other securities laws and rules when using Gen AI or other similar technologies in their businesses.   

The Notice reminds members that FINRA and other securities laws continue to apply when member firms use Gen AI or similar technologies in their business, just as they apply when member firms use any other technology or tool.4  The Notice notes, for example, that FINRA Rule 3110 requires that a member firm have a reasonably designed supervisory system tailored to its business. If a firm is using Gen AI tools as part of its supervisory system—for the review of electronic correspondence, for instance—the Notice states its policies and procedures should address technology governance, including model risk management, data privacy and integrity, reliability, and accuracy of the AI model.  

Where applicable, the Notice states the FINRA rules apply whether member firms are directly developing Gen AI tools for their proprietary use or when leveraging the technology of a third party, including through embedded features in existing third-party products.

The applicability and implications of FINRA’s rules as applied to the use of Gen AI use depend on how a member firm deploys the AI technology. The Notice warns that depending how a member firm uses Gen AI, Gen AI use could implicate virtually every area of a member firm’s regulatory obligations.6  The Notice warns that as with any technology or tool, a member firm should evaluate Gen AI tools before deploying them to ensure that the member firm will continue to comply with existing FINRA rules applicable to the business when using those tools.

FINRA already has provided some guidance about the use of Gen AI tools by members.  Before publishing the Notice, for example, FINRA already had released guidance discussing the specific application of the content standards of FINRA Rule 2210 (Communications with the Public).  In that guidance, FINRA stated that Rule 2210 applies whether member firms’ communications are generated by a human or technology tool.5 

Beyond the Rule 2210 guidance, the Notice also highlights other FINRA resources that FINRA encourages members to use to help shape and manage their organizations’ Gen AI use in their operations.  These include including:

SEC AI Regulation & Scrutiny

FINRA-regulated individuals and organizations also are reminded that the Security and Exchange Commission (“SEC”) also increasingly is focusing on AI and other data and technology related risks. In recent years, Chairman Gary Gensler and other SEC officials have identified a number of areas of potential securities market threats from the use of AI including tools and practices exposing the market and investors to fraudulent practices and deception; AI bias; and conflicts of interest or intensify existing financial vulnerabilities.

For instance, the SEC has scrutinized broker-dealer and investment advisor digital engagement practices and investment advisors use of technology to develop and provide investment advice for several years. See e.g,. SEC Release No. 34-92766; IA-5833; File No. S7-10-21, The SEC noted that investment advisory
clients may face risks when artificial intelligence models use poor quality, inaccurate or biased data that
produce outputs that are or lead to poor or biased advice whether incorporated unintentionally through use of data sets that include irrelevant or outdated information, including information that exists due to historical practices or outcomes, or through the selection by human personnel of the data or types of data to be incorporated into a particular algorithm. Accordingly, the SEC asked for input on how advisers account for, identify, evaluate and mitigate biases and disparities that raise investor protection issues.

In response to some of these concerns, the SEC Investor Advisory Committee (“IAC”) has proposed the Establishment of an Ethical Artificial Intelligence Framework For Investment Advisors in which the IAC proposed, among other things recommended that the SEC:

  • Increase and enhance SEC staffing and AI expertise;
  • Request and use data, comments and observations from the Division of Examinations in its inspections of advisers using artificial intelligence to draft best practices on the ethical use of artificial intelligence;
  • Consider frameworks developed by regulatory authorities around the world, such as The Monetary Authority of Singapore and organizations such as the CFA Institute to expand and enhance its 2017 Guidance regarding robo-advisers for purposes of developing and providing recommendations on the use of AI by investment advisors and broker-dealers

See IAC letter to SEC Chairman Gary Gensler (April 6, 2023).

In response to growing concerns that broker-dealers might use certain predictive analytics and similar technologies to optimize for, predict, guide, forecast, or direct investment-related behaviors or outcomes in a manner that puts their own interests ahead of investors’, in July 2023 the SEC published a Proposed Rule that if adopted generally would require a firm to evaluate and determine whether its use of certain technologies in investor interactions involves a conflict of interest that results in the firm’s interests being placed ahead of investors’ interests. The proposed rule would require firms to eliminate, or neutralize the effect of, any such conflicts, but firms would be permitted to employ tools that they believe would address these risks and that are specific to the particular technology they use, consistent with the proposal. The proposed rules would require firms to adopt written policies and procedures reasonably designed to achieve compliance with the proposed rules and to make and keep books and records related to these requirements. See also, Fact Sheet.

Managing AI Compliance Risks & Opportunities

All members and their organizations should ensure that they have audit and maintain an inventory of all Gen AI, PDA and other similar tools and conduct documented assessments to confirm the use of these tools does not adversely impact their continued compliance with relevant FINRA and other security rules before its deployment taking into account this and all other relevant FINRA rules and guidance. Because many third-party tools and services may include or incorporate Gen AI tools, FINRA regulated parties should require third party vendors to disclose or establish other processes for reliably determining when third party provided tools or services include or may impact the FINRA regulated party’s compliance and steps for monitoring and managing these impacts.

Moreover, all members using AI will need to establish documented processes and procedures for monitoring the continued appropriateness of the use of these and other Gen AI, PDA and other tools in light of emerging experience and guidance.

Since FINRA and the SEC also have indicated that additional enforcement, guidance or both are likely to emerge, these processes should include a reliable process for monitoring FINRA guidance for updates and timely responding to these developments.

Members and other interested parties with questions and concerns about emerging uses of AI may wish to consider sharing input with FINRA. the SEC and other relevant agencies. In this respect, the FINRA Notice invites members and other interested parties to engage and communicate with FINRA about potential supervisory and compliance implications of evolving Gen AI and other related technology uses as they evolve.  Among other things, the Notice:

  • Invites members and other interested parties to follow FINRA’s process for interpretive requests7 to seek interpretive guidance from FINRA to the extent member firms find ambiguity in the application of FINRA rules based on their specific use of Gen AI or other technology
  • Encourages member firms to have ongoing discussions with their Risk Monitoring Analyst as AI-related issues or other changes in their business arise.8
  • Encourages members to share feedback with FINRA on how its rules might be modernized in light of the use of Gen AI tools or other emerging technologies, consistent with investor protection and market integrity. FINRA will continue engaging with its members, regulators, policymakers and other interested parties on the use of Gen AI, LLMs and other emerging technology. Any parties interested in discussing these matters further with FINRA are welcome to contact our Office of General Counsel for policy and rules-related discussion, and REMA/Office of Financial Innovation for all other Gen AI engagement.

In the face of the Notice and other FINRA guidance on the use of AI in their operations, brokers, financial advisors and other FINRA related parties should use care in selecting, deploying, monitoring and managing any Gen AI or other tools in their businesses. In light of FINRA’s warning about the importance of pre-use compliance evaluation, brokers and financial advisors and their organizations should adopt written policies governing the use of Gen AI and other tools. These policies should prohibit pre-use compliance evaluation and approval before any Gen AI tools are deployed or used within their operations. regardless of whether developed and deployed in house or incorporated into third-party provided tools or services.

FINRA and SEC regulated parties also should monitor and take appropriate steps to guard their organizations and sensitive data, systems and operations against ransomware, cybersecurity and other threats created or enhanced by their own or third parties’ use of Gen AI or other technologies in light of the requirements of the Fair and Accurate Credit Transactions Act, federal and state electronic crimes and cybersecurity statutes, the SEC’s recently adopted cybersecurity rule, and other federal and state laws as well as the demonstrated market and operational risks associated with breaches.

FINRA regulated parties also should take steps to monitor enforcement, audit, and other regulatory and experiential developments potentially impacting on their past or continued use of Gen AI or other similar tools.

Of course, FINRA isn’t the only regulatory agency warning users about AI compliance risks. The Equal Employment Opportunity Commission (“EEOC”) is one of a growing number of other agencies that also have sounded warnings about compliance risks associated with the use of AI technologies. See, e.g. The Americans with Disabilities Act and the Use of Software, Algorithms, and Artificial Intelligence to Assess Job Applicants and Employees (May 12, 2024). FINRA and SEC regulated parties also should be cognizant of their direct compliance obligation and those of their customers and business partners under these and other laws.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters, contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations, regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for insurance, financial services, employee benefits, managed care and other health and life science, technology, government entities and contractors and other public and private businesses. As part of this work, she has extensively worked, spoken and published on the defensible design, use and management of artificial intelligence and other systems and processes throughout her career.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on FINRA Warns Brokers, Financial Advisors To Manage Compliance Risks Of AI | Corporate Compliance | Tagged: , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

OSHAs Restructuring Regional Operations

May 8, 2024

Texas and other Southern states can expect increased revitalized Occupational Health & Safety Act enforcement under a Department of Labor restructuring of the Occupational Safety and Health Administration (“OSHA”) regional operations.

The changes announced May 8 include the creation of a new OSHA regional office in Birmingham, Alabama, overseeing agency operations in the state, and those in Arkansas, Kentucky, Louisiana, Mississippi and Tennessee as well as the Florida Panhandle. The Birmingham Region will address the area’s growing worker population and the hazardous work done by people employed in food processing, construction, heavy manufacturing and chemical processing.

OSHA is also planning to merge Regions 9 and 10 into a new San Francisco Region to improve operations and reduce operating costs. 

As part of the changes, the agency will also rename its regions to associate them by geography, rather than its current practice of assigning numbers to regions.

The area OSHA calls Region 4 will be renamed the Atlanta Region with jurisdiction over Florida, excluding the Panhandle; Georgia, North Carolina and South Carolina.

The current Region 6 will be renamed the Dallas Region and have jurisdiction over workplace safety issues in New Mexico, Oklahoma and Texas. 

The composition of OSHA’s other regions will remain the same.

When completed the agency will rename its regions as follows:

  • Region 1 to the Boston Region
  • Region 2 to the New York City Region
  • Region 3 to the Philadelphia Region
  • Region 4 to the Atlanta Region
  • Region 5 to the Chicago Region
  • Region 6 to the Dallas Region
  • Region 7 to the Kansas City Region
  • Region 8 to the Colorado Region
  • Region 9 and 10 merged into the San Francisco Region, and
  • The new Birmingham Region.

OSHA says the changes that reflect demographic and industrial changes since the passage of the OSH Act will allow OSHA to better respond to the needs of all workers, including those historically underserved, provide a stronger enforcement presence in the South and more consolidated state oversight and whistleblower presence in the West.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters,  contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations,regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for government contractors and other public and private businesses; managed care and other health and life science, insurance, technology, and other performance and data dependent organizations,

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on OSHAs Restructuring Regional Operations | Corporate Compliance, OSHA | Permalink
Posted by Cynthia Marcotte Stamer

$2.7 Million FCA Cyber Liability Settlement Shows New Tool In Government’s Strategy To Fight Cyber Insecurity By Holding Businesses & Leaders Accountable

May 4, 2024

The $2.7 million settlement government contractor Insight Global LLC, (“Insight”) is paying to settle a Justice Department (“DOJ”) False Claims Act civil suit for lax cybersecurity shows government contractors now must add possible False Claims Act prosecution to the already substantial and ever-widening potential consequences all organizations and leaders when their organizations experience a cyber incident.

Supplementing the strength and reach of existing cybersecurity laws by using the False Claims Act, federal securities, employee benefit fiduciary responsibility. and other laws as tools to pressure organizations and their leaders to strengthen their cybersecurity compliance and defenses is a key component of the National Cybersecurity Strategy the Administration announced in March, 2023 to battling the ongoing pandemic of cyber incidents. As National Cybersecurity Strategy states, “Continued disruptions of critical infrastructure and thefts of personal data make clear that market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience. … We must hold the stewards of our data accountable for the protection of personal data; drive the development of more secure connected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.

The National Cyber Security Strategy goes on to warn, “We will use Federal purchasing power and grant-making to incentivize security.”

With holding businesses and their leaders accountable a key component of the Federal government’s National Cybersecurity Strategy, government contractors specifically and all businesses and their leaders generally should heed the use of the DOJ’s use of the False Claims Act as another tool in its expanding arsenal for holding businesses experiencing cyber breaches accountable as proof of their own growing imperative to manage their own cyber security and liability in response to exploding strains of cyber threats and liabilities.

Government Contractor False Claims Act Cyber Risk

DOJ’s adoption of the False Claims Act as a tool for imposing liability against government contractors experiencing a cyber breach is part of a broader effort to persuade organizations and their leaders to tighten their cyber security defenses and responses by ratcheting up the liability and other consequences organizations and their leaders face when their organizations experience a cyber incident. The False Claims Act imposes treble damages and penalties on those who knowingly and falsely claim money from the United States or knowingly fail to pay money owed to the United States.

A Civil Cyber-Fraud Initiative announced by DOJ on October 6, 2021 adds potential False Claims Act civil lawsuits by DOJ or private whistleblowers to the already significant and expanding consequences government contractors and grant holders can face for failing to fulfill requirements to properly secure protected health information or other sensitive data as required in their government contracts.

According to DOJ’s May 1, 2024 announcement, Insight will pay $2.7 million to resolve DOJ False Claims Act charges for failing to have adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing under the new of the Settlement shows DOJ is following through on its promise.

$2.7 Million Insight FCA Cyber Settlement

The $2.7 million Settlement settles a whistleblower lawsuit, United States ex rel. Seilkop v. Insight Global LLC, No. 1:21-cv-1335 (M.D. Pa.). Filed under the whistleblower provisions of the False Claims Act that permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds and to receive a share of any recovery, DOJ intervened in the suit. Whistleblower, Terralyn Williams Seilkop, a former Insight Global staff member who worked on the contact tracing at issue, will receive a $499,500 share of the $2.7 million settlement amount.

The lawsuit alleged the Pennsylvania Department of Health hired Insight to provide staffing for COVID-19 contact tracing and paid Insight using federal funds from the U.S. Centers for Disease Control and Prevention. Although keeping personal health information of contact tracing subjects confidential and secure was part on its contractual duties, Insight failed to secure the protected health information. Instead, DOJ claimed, for example, Insight transmitted certain personal health information and/or personally identifiable information of contact tracing subjects in the body of unencrypted emails, stored and transmitted the information using Google files not password protected, making them potentially accessible to the public via internet links and allowed staff to use shared passwords to access that information.

DOJ additionally alleged that from November 2020 through January 2021, Insight managers received complaints from Insight staff that protected health information was unsecure and potentially accessible to the public, but failed to start remediating the issue until April 2021 after deficiencies came to light.

When Insight eventually began remediating these cybersecurity breaches and deficiencies in 2021, the announcement states Insight cooperated with the DOJ investigation of the cause and scope of the incident. It also took steps to remedy cybersecurity deficiencies by strengthening internal controls and procedures, adding more data-security resources and issuing a public notice regarding the scope of the potential exposure and offering free credit monitoring and identity protection services to those affected. FOJ also reports Insight also cooperated with the United States’ investigation.

DOJ’s Insight settlement announcement warns other government contractors of DOJ’s “continuing commitment to ensure that government contractors fulfill their cybersecurity obligations.” Its announcement quotes Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division as stating, “The Justice Department will hold accountable those contractors who knowingly fail to satisfy cybersecurity requirements.”

Meanwhile, Special Agent in Charge Maureen R. Dixon of the Department of Health and Human Services Office of Inspector General (HHS-OIG) is quoted as stating “Contractors for the government who do not follow procedures to safeguard individuals’ personal health information will be held accountable.”

Cyber Risk Implications For Government Contractor & Other Organizations

Potential False Claims Act liability under the DOJ False Claims Act Civil Cyber-Fraud Initiative add additional liability risks for government contractors to already substantial and growing federal and state regulatory, contractual, and civil and criminal liabilities and other consequences that cyber breaches and other cybersecurity weaknesses create for business and other organizations, their health plans and their leaders. Examples of these other exposures that lax privacy, data security, data breach and other cybersecurity practice may create include:

  • Business operating losses from resulting operational disruptions and damages to customer, business partner, shareholder and public trust;
  • Federal Sentencing Guidelines organizational criminal liability arising from violations of electronic crime and other federal criminal data privacy and security laws;
  • Federal Trade Commission Act and state unfair business practices liability for deceiving customers about privacy practices;
  • Security and Exchange Commission (“SEC”) criminal and civil actions and shareholder lawsuits under the Security and Exchange Act;
  • Health Insurance Portability & Accountability Act civil monetary penalty and criminal exposures for health plans, health care providers, health care clearinghouses and their business associates;
  • Employee Benefit Security Act fiduciary liability for health fiduciaries;
  • Liability for violation of Fair and Accurate Transaction Act, Internal Revenue Code, or other federal privacy or confidentiality laws;
  • damages and other penalties and judgments arising under state identity theft, data security, privacy and other state statutory, contractual and tort laws; and
  • More.

These and other constantly emerging exposures show the imperative for government contractors and all other organizations and their leaders to ensure their organizations take adequate, well-documented efforts to protect their systems and data and fulfill all otherwise applicable cybersecurity rules.

With new cyber attacks and strains of cyber liability, emerging constantly, organizations, and their leaders increasingly must change the way they think about and address their own cyber security and other technology, budgets and management. The escalation of cyber incidents and risks necessitates that organizations and their leaders to treat cybersecurity as critical components of their operational and business plans and priorities.

Amid the pandemic of constantly evolving cyber threats, even the most diligent efforts to secure systems and data cannot guarantee the prevention of a breach or other cyber incident. Given this challenge, organizations and their leaders must focus both on taking meaningful steps to adequately secure their systems and data against a cyber breach or incident as well as position their organizations and leaders to defend their actions and mitigate exposures through appropriate strategic planning, documented oversight and risk assessment, monitoring and response of threats and safeguards; preparation and timely response to cyber events using attorney-client privilege and other evidentiary tools to promote the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making.

As the availability of funding can radically impact the effectiveness of these and other risk mitigation efforts when a cyber incident occurs, these preparations also should incorporate insurance and other arrangements to provide for breach investigation funding and response.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters,  contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations,regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for government contractors and other public and private businesses; managed care and other health and life science, insurance, technology, and other performance and data dependent organizations,

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on $2.7 Million FCA Cyber Liability Settlement Shows New Tool In Government’s Strategy To Fight Cyber Insecurity By Holding Businesses & Leaders Accountable | Antitrust, Attorney-Client Privilege, Banking, board of directors, Brokers, Civil Monetary Penalties, Claims, compliance, Corporate Compliance, corporate governance, Cybercrime, Cybersecurity, Data Breach, Data Security, Department of Defense, DFAR, Disaster, Educational Privacy, Emergency, Employee Benefits, Employer, Employers, Employment, Employment Policies, enforcement, ERISA, false claims act, FTC, Government Accountability, Government Contractors, government employer, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, health plan, Health Plans, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Managed Care, OFCCP, Personal Health Records, Personal Health Recordss, Physician, Plan Admistrator, Protected Health Information, Provider, self insured health plan, Technology, third party administrators, tpa, Whistleblower | Tagged: , , , , , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Agencies Change Surprise Billing IDR Resubmission Procedures Effective 5/1/24

May 1, 2024

The Departments of Health and Human Services, Labor, and the Treasury (collectively, the Departments) today announced changes to the required process for resubmitting Independent Dispute Resolution (“IDR”) disputes originally improperly batched or bundled in the Federal IDR portal.

According to the Departments’ May 1 announcement, resubmission requests for disputes originally improperly batched or bundled will come directly from the Federal IDR portal instead of from the certified IDR entity, and initiating parties now will have a unique web form they can access via a link in their resubmission email notification to complete the resubmission process.

Starting on May 1, 2024, certified IDR entities will notify parties through an email from the Federal IDR portal that a dispute is eligible for resubmission due to improper batching or bundling from auto-reply-federalidrquestions@cms.hhs.gov. If the recipient initiated the dispute, the resubmission email notification will contain a unique link to a new form called the Notice of IDR Initiation – Resubmission web form and instructions on the next steps. If the recipient did not initiate the original dispute, the email notification will be informational and will not have a link.

Initiating parties have four business days from the date of the resubmission email notification to resubmit a dispute. The resubmission link will no longer work after the four business day window has passed.

If a certified IDR entity notified the party that a dispute submitted was eligible for resubmission due to improper batching or bundling before May 1, 2024, the Departments state the recipient should resubmit the dispute as instructed in the email from its certified IDR entity through the Notice of IDR Initiation web form by May 6, 2024. For information on how to resubmit these disputes, refer to the Notice of Initiation Web Form Job Aid.

The Departments state the Notice of IDR Initiation web form will accept resubmitted disputes through May 6, 2024. After May 6, 2024, the Notice of IDR Initiation web form will no longer accept resubmitted disputes, and all resubmissions must be submitted via the Notice of IDR Initiation – Resubmission web form, as described in the paragraph below.

The following resources provide additional information and instructions on how to complete and submit the new Notice of IDR Initiation – Resubmission web form, following

Health care providers and health plans using the new IDR processes should update their processes immediately to avoid forfeiting surprise billing rights. Recipients of e-mails purportedly from the portal are cautioned to include and follow appropriate procedures to guard against malware or other cyber threats.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health, employee benefits, insurance, hospitality, retail, construction and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair and Chair Elect of its International Employment Law Committee, Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer has decades of experience advising employers, investigating and helping employers to defend wage and hour, worker classification, discrimination and other labor and employment, employee benefits and other compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes extensive involvement advising clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination; EBSA, IRS, and PBGC employee benefit; WHD, CAS, Davis-Bacon and other federal and state wage and hour and other compensation; OSHA and other investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides health care, human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Agencies Change Surprise Billing IDR Resubmission Procedures Effective 5/1/24 | Claims Administration, Corporate Compliance, ERISA, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health care transparency, health insurance, health insurance marketplace, health plan, Health Plans, Human Resources, Managed Care, Protected Health Information, provider contracting, Surprise Billing | Permalink
Posted by Cynthia Marcotte Stamer

New WHD Rule To Raise FLSA Salary Threshold 7/1/24 and 1/1/25

April 30, 2024

Employers of salaried workers earning less than $58,656 should begin preparing either to increase the compensation or reclassify and pay those workers as hourly and entitled to overtime to comply with a final rule that will twice raise the salary thresholds required to exempt a salaried bona fide executive, administrative or professional employee from federal overtime pay requirements between July 1, 2024 and January 1, 2025.

Effective July 1, 2024, the final rule adopted April 23, 2024 will increase the salary threshold from the equivalent of an annual salary of $43,888 from the current required salary threshold of $35,568. Thereafter, the final rule further raises the salary threshold to the annual salary equivalent of $58,656 on January 1, 2025.

The July 1, 2024 salary threshold increase is based on the methodology adopted during the Trump administration in the 2019 overtime rule update. Beginning January 1, 2025, the final rule adopts a new methodology, resulting in the additional increase. In addition, the final rule will adjust the threshold for highly compensated employees. Starting July 1, 2027, salary thresholds will update every three years, by applying up-to-date wage data to determine new salary levels.

The impending changes will require employers currently employing salaried workers with annual salaries below the threshold either to increase their salaries above the threshold or to reclassify and compensate them as non-exempt employees, subject to the minimum wage and overtime requirements of the Fair Labor Standards Act (“FLSA”).

When considering whether to raise salaries or reclassify, an employer should begin by reevaluating whether its salaried employees continues to meet the job duty tests to qualify for salaried status. The review of fulfillment of the job duties test should encompass both workers directly employed as employees on the employers payroll and any workers secured through contingent, workforce, employee leasing, staffing, manpower, consultant, independent contractor, or other similar service arrangements where the potential exists for reclassification of the worker as a employee of the employer or the employer as a joint employer of the employee taking into account, the more aggressive characterization enforcement positions of the Biden Administration.

Employer should conduct this review on all salaried employees, not just those whose current salary is below the upcoming increased minimum level. Reevaluation of the defensibility of all salaried workers classification is recommended because many employers mistakenly misclassify workers as salaried rather than hourly due to an overly optimistic misunderstanding of the duties requirements for a worker to qualify as salaried. The risk of misclassification is heightened under the current administrations enforcement policies. Employers who make this mistake already, or at risk for wage an hour liability for record-keeping and overtime violations for these misclassified workers. Raising the salary of a misclassified worker will only make matters worse by increasing the overtime liability that the employer will be required to pay for failure to pay overtime after the increased takes effect.

An employer should work within the scope of attorney-client privilege to conduct this analysis and implement any necessary reclassification of currently salaried workers to hourly and other steps advisable to mitigate and resolve liabilities relating to employees currently classified as salaried identified as at risk of misclassification.

Once an employer verifies that the salaried worker continues to meet the job duties test to qualify for salary status, the employer next should consider whether to reclassify or increase the salary of any salaried employees currently earning less than the increased minimum salary.

For salaried employees whose job duties make their job classification questionable, employers should work with counsel to evaluate whether restructuring of jobs could make the classification more defensible, eliminate, or reduce required overtime, or otherwise mitigate the effective reclassification or maximize the ability to defend the salary classification.

Next, an employer should analyze the economics taking into account historical and projected overtime hours of work for employees currently earning less than the minimum salary whose job duties defensively satisfy the salaried job duties test. This evaluation should compare the employer’s projected costs to employ the employee:

  • At an increased salary above the new minimum; versus
  • As an hourly employee taking into account projected overtime.

Under certain circumstances, it also may be possible to utilize rules to treat the employee as salaried, non-exempt. Employers also should consider the likely perceptual impact of the reclassification on effected workers. Many times workers view classification as salaried as a status, symbol. Particularly where workers do not work a lot of overtime, reclassification from salary to hourly status may be perceived as a status demotion by some workers. Experienced legal counsel may offer various options to assist in mitigating costs and other impacts of reclassification. Morale issues relating to the reclassification or other aspects of the workplace could create a heightened risk of scrutiny of the employers or past work classification and overtime pay requirements. As reclassifications also could result in unintended discriminatory practices, employer should work with counsel to review and document the defensibility of any job restructuring or reassignments under applicable employment discrimination laws. The employer’s planning process should anticipate these risks and utilize appropriate risk management procedures.

For employees to be reclassified from salary to hourly, employers also also must implement appropriate recordkeeping to meet the FLSA recordkeeping requirements.

Beyond complying with the applicable requirements of the FLSA, impacted employers also will want to reevaluate their budgeting, pricing, and other financial assumptions and practices in preparation of the implications of these increases.

Businesses using contract or other outsourced labor arrangements also will want to ensure that their suppliers are appropriately classifying and paying workers in response to this new adjustment. Biden Administration rules for classifying workers as employers and joint employers make it easier for recipients of these types of services to be held accountable for noncompliance with their suppliers.

Analysis generally should be conducted within the scope of attorney client privilege because of the possibility that sensitive information about worker classification or misclassification other evidence may be uncovered and discussed.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health, employee benefits, insurance, hospitality, retail, construction and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair and Chair Elect of its International Employment Law Committee, Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer has decades of experience advising employers, investigating and helping employers to defend wage and hour, worker classification, discrimination and other labor and employment, employee benefits and other compliance.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes extensive involvement advising clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination; EBSA, IRS, and PBGC employee benefit; WHD, CAS, Davis-Bacon and other federal and state wage and hour and other compensation; OSHA and other investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on New WHD Rule To Raise FLSA Salary Threshold 7/1/24 and 1/1/25 | Corporate Compliance | Tagged: , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Liberty Energy $265,000 EEOC Discrimination Settlement Warns Other Employers

April 30, 2024

The $265,000 Liberty Energy, Inc. doing business as Liberty Oilfield Services, LLC, will pay to settle a race and national origin discrimination lawsuit brought on behalf of three mechanics by the U.S. Equal Employment Opportunity Commission (EEOC) warns other employers to manage these risks.

The EEOC lawsuit alleged a Black field mechanic and two Hispanic co-workers at Liberty Energy’s Odessa, Texas location were subjected to a hostile environment and referred to with slurs such as the N-word, “beaner,” “wetback” and other derogatory terms.

The employees alleged that they made reports to supervisors, management, and human resources about the discriminatory treatment, but no effective corrective or remedial action was taken by the oil field services company.

Instead, the EEOC’s suit charged that after making his report, the Black mechanic was forced by management to perform undesirable work tasks and was isolated by his peers. With no meaningful action by company management to change the workplace atmosphere and the discriminatory assignments that followed his complaint, he was ultimately left no alternative but to resign.

The EEOC charged this conduct violated Title VII of the Civil Rights Act of 1964, which prohibits discrimination based on race and national origin.

Under the two-year consent decree resolving the suit, in addition to paying $265,000 to the employees, Liberty Energy will adopt and distribute a policy for all human resources and management personnel to effectively respond to reports to discrimination; post a notice in the workplace informing employees of the settlement; adopt and develop a 1-800 hotline for reporting acts of discrimination and/or harassment; and provide specialized training to employees on the federal laws that prohibit employment discrimination, including Title VII.

The suit and settlement demonstrate the need for employers to use care to prevent and manage race, national origin and other employment harassment and discrimination risks. In addition to adopting policies prohibiting discrimination and harassment, employers should conduct training, communicate and post procedures to report suspected violations, conduct carefully documented investigations and resulting discipline or other actions demonstrating their enforcement of the policies. Additionally employers need to take steps to monitor, prevent and redress harassment or other retaliation against workers for complaining or acting as witnesses for investigations. With recently released retaliation guidance, employers also should consider consulting counsel for a review of their existing processes in light of the new rules.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health, employee benefits, insurance, hospitality, retail, construction and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair and Chair Elect of its International Employment Law Committee, Chair of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer has decades of experience advising employers, investigating and helping employers to defend discrimination and other labor and employment, employee benefits and other compliance. 

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes extensive involvement advising clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination; EBSA, IRS, and PBGC employee benefit; WHD, CAS, Davis-Bacon and other federal and state wage and hour and other compensation; OSHA and other investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Liberty Energy $265,000 EEOC Discrimination Settlement Warns Other Employers | Corporate Compliance | Tagged: , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

SCOTUS Makes Defending Job Reassignments Harder

April 18, 2024

Employers should carefully scrutinize job reassignments for possible sex or other prohibited bias in light of the Supreme Court’s April 17th ruling holding job detriment suffered from a discriminatory reassignment need need not be significant to be actionable.

The Supreme Court’s Muldrow v. City of St. Louis decision resulted from a Title VII lawsuit brought by Sergeant Latonya Clayborn Muldrow, a police officer against the St. Louis Police Department, challenging her reassignment as sexually discriminatory.

Muldrow alleged that she was transferred from her position in the Intelligence Division to a uniformed job in another department because of her gender. Despite maintaining her rank and pay, Muldrow’s responsibilities, perks, and schedule were significantly altered. She filed a Title VII suit against the City of St. Louis, claiming that the transfer constituted sex discrimination with respect to her employment terms and conditions.

Muldrow appealed to the Supreme Court after both the District Court and the Eighth Circuit held that since the transfer did not result in a reduction to her title, salary, or benefits and only caused minor changes in working conditions, Muldrow’s lawsuit could not proceed. Those courts ruled Muldrow had to show that the transfer caused her a “materially significant disadvantage.”

The Supreme Court disagreed. It ruled that an employee challenging a job transfer under Title VII only needed to show some injury respecting her employment terms or conditions, not that the harm was significant.

The ruling that proof of significant job detriment is not required for a reassigned employee to prove a job assignment discriminatory allows reassigned employee’s significantly more latitude to challenge reassignments as discriminatory. Consequently, employers considering reassignments of employees should carefully scrutinize the proposed changes holistically for any potential detriment that affected employees might use to demonstrate discriminatory job detriment. Additionally, employers also should carefully identify and document valid business, discipline or other defensible justifications for planned job reassignment before taking action to make the job reassignment. Due to the potentially sensitive nature of reviews and discussions regarding this analysis, employers generally will want to conduct this analysis with the guidance of a qualified attorney and within the scope of attorney-client privilege.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health, employ benefits, insurance, hospitality, retail, construction and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer has decades of experience advising and defending employers on wage and hour and other labor and employment laws. 

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes extensive involvement advising clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination; EBSA, IRS, and PBGC employee benefit; WHD, CAS, Davis-Bacon and other federal and state wage and hour and other compensation; OSHA and other investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on SCOTUS Makes Defending Job Reassignments Harder | ADA, Affirmative Action, Age Discrimination, Attorney-Client Privilege, citizenship, Civil Rights, compensation, Corporate Compliance, Disability, Discrimination, Diversity, EEOC, employee, Employer, Employers, Employment, Employment Discrimination, Employment Policies, HR, Human Resources, LBGT, national origin, Race Discrimination, RAISE Act, religious accommodation, Religous Discrimination, Sex Discrimination, sexual harassnrnt, Transgender | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

UHG Projects Timeline For Restarting Services Following 2/21 Ransomware Attack.

March 25, 2024

UnitedHealthcare Group (UHG) plans to resume certain key health benefit and payment function this week that it turned off in response to a February 21, 2024 cyberattack.

Health plans, their fiduciaries, health plan sponsors and insurers, and their administrative and other service providers may find these updates helpful to plan and communicate with plan members, providers and others as part of their efforts to fulfill their own Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the claims, notice and fiduciary responsibilities under the Employee Retirement Income Security Act of 1974 (ERISA), state contract, prompt pay and other duties to health care providers or other responsibilities in response to disruptions created by UHG’s Blackcat1234 ransomware attack subsidiary Change Healthcare.

UHG Attack

On February 21, 2024, a ransomware attack executed by the Blackcat1234 ransomware group took control of and shut down the payment, revenue cycle management and related tools and systems of UHG Subsidiary Change Healthcare. Well-known for stealing sensitive data and demanding ransom for not publishing it, and other public and private cybersecurity monitoring and tracking organizations have warned heath care and other system operators to guard against Blackcat1234 and related ransomware attack risks since at least 2022.  See, e.g., #StopRansomware: ALPHV Blackcat | CISA.

The Choice Health shutdown resulting from the Blackcat1234 ransomware attack has created widespread disruptions to key care authorization, billing and other pharmacy, provider and other plan and provider transactions within health care and health benefit systems nationwide due to the widespread use of the Choice Health tools. 

Due to the widespread use of the Change Healthcare tools and systems as a financial clearinghouse for connecting pharmacy benefit managers, health care providers, and other key plays and health plans throughout the health care and health benefits industry, the attack has and continues to disrupt key billing, care-authorization, payment and other transactions between health care payers and pharmacies, physicians and other health care providers and health care payers and their partners across the health care industry.  

The resulting shutdown and disruption to electronic payment and medical claims systems incorporating the compromised Change Healthcare tools create various legal and operational headaches for many health plans and other health care payers by preventing or obstructing the submission and processing of health care claims and other transactions between health care providers and health plans. 

While UHG works to remediate and restore the operability and security of the Choice Health tools and systems, health plans, and insurers, their fiduciaries, plan sponsors, and fiduciaries should take timely and prudent steps in response to the breach and resulting disruptions to mitigate the exposure of their health plans, and themselves under HIPAA and ERISA. See Manage Health Plan HIPAA, ERISA & Other Exposures From Change Healthcare Ransomware Attack.

Timeline

In its Product Restoration Timeline posted on a UHG website, UhG projects the following timeline for restoration of the following systems:

Week of 3/25
  • Eligibility Processing: Processes real-time transactions
  • Clearance: Benefits verification and authorization determination
  • MedRX: Pharmacy electronic claims for medical
  • Reimbursement Manager: Claim pricing
  • Coverage Insight: Coverage discovery
Week of 4/1
  • Clinical Exchange: Provider workflow enabling electronic prescribing, ordering and resulting integrated into EHR’s
  • Payer Connectivity Services  (PCS): EDI validation and editing
  • Hosted Payer Services  (HPS): Payer hosting service for eligibility responses to providers
  • Acuity / Pulse: Acuity provides revenue cycle analytics for users of Clearance and Assurance; Pulse provides RCM KPI benchmarks for institutional claims utilizing Assurance client data
Week of 4/8
  • Risk Manager: Supports clients in managing value-based payment contracts.
  • Health QX: Retrospective episode-base payment models

No Guarantees

The UHG website warns these dates are projections based on available information. Products will go through a phased reconnection process, including launch, testing and scaled reconnection. The timeline may change as UHG learns more.

Unlisted Services

The Timeline currently does not list all products and services. The UHG website states that the absence of a product from the schedule does not mean that product is more than three weeks away from resumption. Rather, it means that UHG does not yet have line of sight to the week that it expects to restore it. UHG plans to provide updated information as those timelines become clear.

For specific product updates, UHG invites interested persons to subscribe to the products of interest here.

Restoration Webinars

UHG also has shared the following series of webinary providing more information about its restoration efforts:

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters,  contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of employee benefit, managed care and other health and insurance industry, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on UHG Projects Timeline For Restarting Services Following 2/21 Ransomware Attack. | Academic Medicine, Association Health Plan, Brokers, Claims, Claims Administration, Corporate Compliance, Cybercrime, Cybersecurity, Data Breach, Data Security, employee, Employee Benefits, Employer, Employers, ERISA, Fiduciary Responsibility, health benefit, Health Benefits, health Care, health care transparency, health insurance, Health IT, health plan, Health Plans, HIPAA, HR, Human Resources, Identity Theft, Insurance, Internal Controls, Internal Investigations, Internal Revenue Code, Managed Care, Medical Billing, Physician, Plan Admistrator, PPO, Provider, provider contracting, Reporting & Disclosure | Permalink
Posted by Cynthia Marcotte Stamer

OCR Guidance Reminds Health Plans To Ensure Online Tracking HIPAA Compliance

March 19, 2024

Health care providers, heath plans, health care clearinghouses and their business associates (covered entities) should verify that any online tracking technology used in their or their business partner websites or mobile applications comply with the Department of Health and Human Services, Office of Civil Rights (OCR) updated guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” published March 18, 2024.

The Guidance reminds covered entities that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) apply to their use of online tracking technologies like Google Analytics or Meta Pixel, collect and analyze information about how users are interacting with a regulated entity’s website or mobile application.

The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes electronic protected health information (ePHI).

OCR’s information bulletin reminds covered entities that they can only use online tracking technologies provided that the entities comply with their obligations under the HIPAA Rules. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

OCR’s Bulletin provides a general overview of how the HIPAA Rules apply to covered entities use of tracking technologies. It also updates to the Bulletin include:

  • Additional examples of when visits to an unauthenticated webpage may or may not involve the disclosure of ePHI.
  • Additional tips for complying with the HIPAA Rules when using online tracking technologies.
  • Guidance about OCR’s enforcement priorities in investigations involving regulated entities’ use of online tracking technologies.

Covered entities need to understand that online tracking technologies commonly are included in Website, mobile application, and other Internet based tools. These tools frequently include online tracking even if not specifically requested by the covered entity. 

Covered entities should conduct a documented inventory of all website, mobile app, and other Internet, based tools that they or their business associates use, which includes an assessment of whether those tools include online tracking, or other technologies, covered by the guidance. For any online tools using tracking capability, cupboard entities, must ensure that the tool is designed and administered to comply with the HIPAA requirements. Overed entities also should adopt a process for regularly reevaluating and monitoring compliance with this and other HIPAA security requirements in their Internet based in other electronic applications that collect, use, store, access, or disclose electronic, protected health information.

Along with specifically evaluating the existence and compliance of any online tracking technologies, covered entities, also should reevaluate and reconfirm the adequacy of their electronic security overall. The HIPAA Rules require healthcare providers and other covered entities to regularly conduct documented risk assessments to verify the adequacy of their security safeguards, and to make updates to guard against emerging threats based on these recurrent assessments. The importance of compliance with this ongoing recurrent risk assessment obligation is repeatedly reinforced in each HIPAA settlement announced by OCR. See, e.g., OCR Nails Second HIPAA Covered For Allowing Ransomware Breach.

Covered entities should ensure that they and their business associates maintain compliance with these other HIPAA obligations.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

Comments Off on OCR Guidance Reminds Health Plans To Ensure Online Tracking HIPAA Compliance | Corporate Compliance | Permalink
Posted by Cynthia Marcotte Stamer

California Fast Food Minimum Wage Jumps To $20/Hour 4/1

March 19, 2024

The minimum wage applicable to California food restaurants increases to $20 per hour on April 1, 2024. This amount is higher than the generally applicable One of several States with minimum wage rates higher than the Federal minimum wage of $7.25 per hour, California minimum wage, which rose $16.00 per hour (or the higher locally mandated rate) for all employers on January 1, 2024. Employers should confirm their practices and budget forecasts are updated to comply with these and other federal, state or local wage and hour law changes.

Under California Assembly Bill AB 1228, beginning April 1, 2024:

  • The minimum wage for covered “fast food restaurant employees” increases to $20/hour; and
  • Employers covered by the fast-food minimum wage must post the supplemental fast food minimum wage notice in English, Spanish and Simplified Chinese.

Because AB 1228 did not increase the allowed tip credits for fast food employers, fast food employers still may only claim the tip credit amounts otherwise allowed by the statewide minimum wage.

Employers can be subject to minimum wage requirements under Federal, state and local laws. The current Federal minimum wage is $7.25 per hour. California is among several States with minimum wage rates set above the federal minimum wage of $7.25 per hour. The U.S. Department of Labor Wage & Hour Division State Minimum Wage Law Table provides a list of currently applicable State minimum wage rates. The generally applicable minimum wage in California is $16 per hour. California and some other states also allow cities and counties to enact higher minimum wage rates for employees working within their local jurisdiction. See e.g., UC Berkeley List. California and some other States also mandate employers to credit certain break or other times as hours worked not required to be counted under the federal minimum wage rules. Employers must count all hours of work and pay a minimum hourly wage for nonexempt employees that meets or exceeds all of these applicable requirements.

A slew of recent U.S. Department of Labor Wage and Hour Division (WHD) high dollar recoveries alert restaurant and other hospitality industry employers to clean up their Fair Labor Standards Act (FLSA) wage and hour, H-2B and other workforce compliance. These and other public and private federal and state enforcement actions show the high cost employers face for violating these and other wage laws.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author 

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health, employ benefits, insurance, hospitality, retail, construction and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer has decades of experience advising and defending employers on wage and hour and other labor and employment laws.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes extensive involvement advising clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination; EBSA, IRS, and PBGC employee benefit; WHD, CAS, Davis-Bacon and other federal and state wage and hour and other compensation; OSHA and other investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on California Fast Food Minimum Wage Jumps To $20/Hour 4/1 | Child Labor, compensation, compliance, Corporate Compliance, Employer, Employers, Employment, Employment Policies, Fair Labor Standards Act, Workforce | Permalink
Posted by Cynthia Marcotte Stamer

Manage Health Plan HIPAA, ERISA & Other Exposures From Change Healthcare Ransomware Attack

March 17, 2024

What Health Plans, Their Fiduciaries, Vendors & Sponsors Should Be Doing Now

Health plans, their fiduciaries, health plan sponsors and insurers, and their administrative and other service providers should move quickly to understand and act to mitigate the exposures likely to arise under the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the claims, notice and fiduciary responsibilities under the Employee Retirement Income Security Act of 1974 (ERISA), state contract, prompt pay and other duties to health care providers or other responsibilities in response to disruptions created by the Blackcat1234 ransomware attack (CH/UHG Attack) experienced by UnitedHealthcare Group (UHG) subsidiary Change Healthcare.

Change Healthcare Ransomware Attack

On February 21, 2024, a ransomware attack executed by the Blackcat1234 ransomware group took control of and shut down the payment, revenue cycle management and related tools and systems of UHG Subsidiary Change Healthcare. Well-known for stealing sensitive data and demanding ransom for not publishing it, and other public and private cybersecurity monitoring and tracking organizations have warned heath care and other system operators to guard against Blackcat1234 and related ransomware attack risks since at least 2022.  See, e.g., #StopRansomware: ALPHV Blackcat | CISA.

The Change Health shutdown resulting from the Blackcat1234 ransomware attack has created widespread disruptions to key care authorization, billing and other pharmacy, provider and other plan and provider transactions within health care and health benefit systems nationwide due to the widespread use of the Change Health tools. 

Due to the widespread use of the Change Healthcare tools and systems as a financial clearinghouse for connecting pharmacy benefit managers, health care providers, and other key plays and health plans throughout the health care and health benefits industry, the attack has and continues to disrupt key billing, care-authorization, payment and other transactions between health plans, health care payers and pharmacies, physicians and other health care providers and health care payers and their partners across the health care industry.  

As UHG has worked to recover from the Change Health attack, the resulting shutdown and disruption to electronic payment and medical claims systems incorporating the compromised Change Healthcare tools create various legal and operational headaches for many health plans and other health care payers by preventing or obstructing the submission and processing of health care claims and other transactions between health care providers and health plans.  While UHG works to remediate and restore the operability and security of the Choice Health tools and systems, health plans, and insurers, their fiduciaries, plan sponsors, and fiduciaries should take timely and prudent steps in response to the breach and resulting disruptions to mitigate the exposure of their health plans, and themselves under HIPAA and ERISA.

HIPAA Security & Breach Notification Responsibilities

While most health care providers and health plans expect Change Health and other UHG entities to face potential data breach and breach notification responsibilities and liabilities under HIPAA and other federal and state data privacy and cybersecurity laws, many health plan fiduciaries, sponsors, insurers, and administrative or other service providers have given limited consideration to how the February 21, 2024, cyber event impacted their HIPAA responsibilities and exposures.  Guidance published by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) on March 13, 2023, alerts health plans and health insurers, their fiduciaries and plan sponsors, health care providers, health care clearinghouses, and their business associates (covered entities) against overlooking their own potential HIPAA responsibilities arising from the February 21 Choice Health attack or other similar events.

HIPAA requires covered entities and their business associates to protect the privacy and security of protected health information, to have and enforce HIPAA-compliant business associate agreements, to conduct timely documented risk assessments in response to known or foreseeable security threats, and to provide notice of a breach to OCR, affected individuals and for breaches affecting more than 500 individuals. 

Under the HIPAA Security Rule, covered entities must conduct documented risk assessments to evaluate and monitor their electronic personal health information (EPHI) and associated systems for potential breaches and other threats that expose EPHA to unauthorized use, access, disclosure, destruction or other compromise.

To fulfill this requirement, the Security Rule requires covered entities and business associates to conduct documented risk assessments impacting their EPHI and to update these risk assessments in response to internal or external events impacting the adequacy of their risk assessments or security safeguards.

While the responsibility of covered entities and business associates to protect EPHI against unauthorized use, access and disclosure from cybercriminals and others receives the most attention, the Security Rule also includes often less discussed responsibility to protect EPHI and related operating systems against destruction or other disruptions from a wide range of threats including ransomware attacks. 

OCR guidance makes clear that OCR views safeguarding EPHI against ransomware and other cybersecurity threats as encompassed in this duty.  As part of these efforts, OCR and other cybersecurity agencies have recommended among other things that covered entities and business associates:

  • Routinely take inventory of assets and data to identify authorized and unauthorized devices and software;
  • Prioritize remediation of known exploited vulnerabilities’
  • Enable and enforce multifactor authentication with strong passwords;
  • Close unused ports and remove applications not deemed necessary for day-to-day operations.

 See e.g., #StopRansomware: ALPHV Blackcat | CISA.

Furthermore, when a breach of results in an unauthorized use, access, disclosure or destruction of EPHI, the HIPAA Breach Notification Rule requires covered entities and their business associates to provide timely notification of the breach to subjects of the breached EPHI and OCR, and if the breach affects more than 500 subjects, to the media.  Concurrently, the HIPAA Security Rule requires health plans and other covered entities to evaluate through documented risk assessments and take appropriate timely action to update their EPHI security as necessary to respond to breaches, potential breaches and other evolving threats to their EPHI and related systems. 

On March 13, 2024, the Office of Civil Rights (OCR) released a  “Dear Colleague letter” that warns the February 21, 2024 CH/UHG data breach is likely to trigger HIPAA obligations and investigations for Choice Health and UHG as well as other HIPAA-covered health plans, heath care providers, heath care clearinghouses and business associates.  While stating the investigation currently focuses on Change Healthcare and UHC, for instance, the Dear Colleague Letter warns that OCR anticipates that its response to the February 21, 2024 CH/UHG Attack eventually also will include “secondary” investigations of other health plans, health care providers, health care clearinghouses and business associates “tied to or impacted by this attack.”

In light of these anticipated secondary investigations, OCR’s Dear Colleague letter warns health plans, health care providers, health care clearinghouses, business associates to ensure they timely and properly handle their own potential HIPAA responsibilities arising from the CH/UHG Attack.  The Dear Colleague letter expressly alerts health plans, health care providers and other covered entities and business associates “that have partnered with Change Healthcare and UHG” in anticipation of OCR’s expected secondary investigations to ensure that their own ability to demonstrate their organization meet all required HIPAA responsibilities including that:

  • All required “business associate agreements are in place;
  • All required breach notifications are provided to HHS, affected persons and in the event of a large breach affecting more than 500 individuals, to the media; and
  • All security and other HIPAA responsibilities are met.

The Dear Colleague Letter also directed covered entities and their business associates to the following previously released OCR resources for assistance in understanding their responsibilities for guarding EPHI against ransomware and other cybersecurity threats:

  • The OCR HIPAA Security Rule Guidance Material webpage;
  • OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks;
  • OCR Webinar on HIPAA Security Rule Risk Analysis Requirement;
  • HHS Security Risk Assessment Tool;
  • Factsheet: Ransomware and HIPAA; and
  • Healthcare and Public Health (HPH) Cybersecurity Performance Goals.

Standing alone, the Dear Colleague Letter makes clear that all covered entities partnered with or impacted by disruptions from the CH/UHG attack need to take documented steps to reevaluate and tighten the adequacy of their existing security safeguards as well as their processes for monitoring and responding to evolving ransomware and other cybersecurity threats in anticipation of becoming the target of potential “secondary” OCR investigations arising from the CH/UHG Attack.

While the Dear Colleague Letter specifically references covered entities and business associates “partnered” with Choice Health, OCR’s previously issued guidance warning all covered entities and their business associates to safeguard their EPHI against ransomware and other cybersecurity threats, strongly suggest that all covered entities and business associates should consider the advisability of reevaluating the adequacy of their own EPHI safeguards in light of the heightened ransomware and other cyber threat illustrated by the CH/UHG Attack.  Consequently, all covered entities and business associates partnered with or impacted by the CH/UHG Attack or its resulting distributions specifically, as well as covered entities and business associates generally should work with experienced legal counsel to conduct documented risk assessments of their systems, exposures, responsibilities and risks taking into account these developments as soon as possible in anticipation of complaint or audit driven investigations arising from the Choice Health and other malware events and threats.

ERISA-Covered Health Plan Data Security & Breach Related Fiduciary Duties

In addition to any applicable HIPAA responsibilities, fiduciaries and sponsors of employer or union sponsored health plans subject to the Employee Retirement Income Security Act (ERISA) also should consider whether the CH/UHG Attack or the heightened ransomware and other cyber security threats any additional actions are prudently necessary to protect the health plan data, assets or operations.

ERISA generally requires individuals or entities named as fiduciaries or otherwise possessing functional discretionary authority or responsibility or authority over a plan or its assets (fiduciaries) to act prudently to protect and administer the plan and its assets.  Department of Labor Employee Benefit Security Administration (EBSA) guidance published in April, 2021 first officially confirmed its interpretation of ERISA’s duty of prudence as including a duty to utilize prudent cybersecurity safeguards.  Since EBSA published this cybersecurity guidance EBSA also has also added cybersecurity inquiries to its plan fiduciary audits. As a result, in addition to complying with HIPAA, ERISA-covered health plan fiduciaries and sponsors also should be prepared to demonstrate plan fiduciaries acted prudently to comply with HIPAA as well as the following actions to safeguard health and other employee benefit plan data and systems against cybersecurity threats:

  • Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
  • Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
  • Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

In light of this OCR and EBSA guidance, health plan sponsors, fiduciaries and vendors and other HIPAA covered entities and business associates are urged to take documented steps to audit and strengthen as needed their safeguards against hacking and other cybersecurity threats including:

  • In the case of any health plan or health plan vendor, taking well documented steps to assess and tighten as necessary their health plan systems and data security to meet or exceed the recommendation outlined in the EBSA cybersecurity guidance or otherwise necessary to prudently guard their plans and plan data and systems against cybersecurity threats.
  • Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
  • Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
  • Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
  • Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
  • Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
    violations or other indicia of potential security concerns.
  • Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
  • Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
  • Establishing and providing well-documented timely investigation and redress of reported
    violations or other compliance concerns.
  • Establishing contingency plans for responding in the event of a breach. 
  • Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
  • Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
  • Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Furthermore, while the preemption provisions of ERISA generally insulate health plans and their sponsors from responsibility or liability for complying with state insurance, data security, breach notification or other state law cybersecurity and cyber breach and breach notification laws and rules, health insurers and other health plan service providers generally remain subject to these state law requirements.  Consequently, health insurers, administrative service providers and other health plan vendors also should act promptly to evaluate and ensure their fulfillment of all applicable cybersecurity and data breach mandates under relevant state law.

Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders under state data privacy and breach, negligence or other statutory or common laws.  In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.  Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations and the Employee Benefit Security Administration recently has issued guidance recognizing prudent data security practices as part of the fiduciary obligations of health plans and their fiduciaries.

Finally, health plans and other covered entities are reminded that appropriate strategic planning and use of attorney-client privilege and other evidentiary tools can critically impact the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making. Because HIPAA, EBSA and other rules typically require prompt investigation and response to known or suspected hacking or other cybersecurity threats, health plans and other covered entities or business associates should seek the assistance of experienced legal counsel to advise and assist in these activities to understand the potential availability and proper use of these and other evidentiary rules as part of the compliance planning process as well as to prepare for appropriate use in the event of a known or suspected incident to avoid unintentional compromise of these protections.

ERISA & Other Risks From Untimely Timely Acceptance & Processing of Health Plan Eligibility & Benefit Provisions

Since Change Health shut down its tools and systems CH/UHG Attack has created and continues to cause nationwide disruptions in the ability of pharmacy, physician and other health care providers to submit, and health plans and insurers to receive and process a wide range of health care billing, claims and other transactions because of the widespread integration and use of Choice Health tools in systems health care providers and payers use for the submission, receipt, and processing of health care provider eligibility, billing and other health benefits. 

Along with the liabilities and headaches that the ransomware attack and resulting disruptions create for Choice Healthcare and UHG, delays and other disruptions in the handling of health benefit eligibility, claims processing, notifications and payment by health plans and their administrative services providers arising from can create a host of additional liability headaches health plans, health insurers, their fiduciaries and administrative services providers in addition to those arising directly from the HIPAA and other cybersecurity breach itself.

For ERISA-covered health plans, ERISA generally holds health plans and their fiduciaries accountable for the prudent, timely administration of health plan eligibility, claims and other administrative functions in accordance with the terms of the plan and within the applicable time frames and other requirements of ERISA’s reasonable claims procedure and adverse benefit determination rules.  Health plans and their ERISA plan administrators generally must receive and process claims transactions required by the adverse claim determination regulations and provide participants or beneficiaries with detailed written notifications for any claims not processed and paid within the relevant 72-hour, 15-day or 30-day time period specified by the adverse claim determination rules.  Noncompliance with these requirements both undermines the defensibility of the health plan’s denial of coverage and subjects the plan administrator to liability for EBSA penalties and/or discretionary awards of penalties plus attorneys’ fees and other costs of enforcement to plan participants or beneficiaries for failures to deliver timely notification of the denial.  To the extent that EBSA or a court determines that the failure to timely and appropriately process and pay benefits resulted from a lack of prudence or other breach of ERISA fiduciary duties, fiduciaries are at risk for incurring personal liability for actual damages to the plan or its participants plus attorneys’ fees and other costs of enforcement; EBSA penalties for engaging in a breach of fiduciary duty under ERISA section 502(l); or both.

Beyond these ERISA-related risks, delays in processing and payment of health care provider claims also create potential additional liability for health insurers, health plans and their administrators to the extent the disruptions prevent the timely payment and processing of health benefit claims in violation of health care provider rights under managed care or other provider contracts, prompt pay and surprise billing or other provider legal rights.  Unlike member claims assigned to providers, ERISA generally does not preempt these nonderivative provider rights and claims or the additional state law damages, penalties or other remedies arising under state law against health insurers, health plans and plan administrators found to violate these rules. Consequently, delays in payments to providers also could substantially increase the costs and liabilities that health insurers, health plans, their fiduciaries, administrators, and employers and other sponsors obligated under the plan terms or vendor contracts to pay these costs.

In light of these and other potential risks, health insurers and health plans, their employer, union and other sponsors, fiduciaries, administrative services providers and other vendors should act quickly to investigate and ensure proper management of the fallout from the CH/UHG Attack and the heightened ransomware and other cybersecurity threats it represents.

Along with working with qualified legal counsel to address the potential HIPAA, ERISA and other responsibilities the health plan or insurer, its fiduciaries, service providers and sponsor bear from the CH/UHG Attack and other cyber risks, most parties also will want to evaluate obligations to notify cybersecurity and other liability insurers, seek indemnification from Choice Healthcare, UHG or other potentially culpable parties and evaluate other sensitive data and strategies for mitigation of their health plan and their own resulting liabilities, costs and other consequences.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters,  contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Manage Health Plan HIPAA, ERISA & Other Exposures From Change Healthcare Ransomware Attack | Association Health Plan, Corporate Compliance, group health plan, health Care, Health Care Sharing Ministries, health insurance, health plan, Health Plans, HIPAA, Public Policy, self insured health plan, tpa | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Wage & Hour Takes Aim At Restaurant & Other Hospitality Employers

February 8, 2024

A slew of recent U.S. Department of Labor Wage and Hour Division (WHD) high dollar recoveries alert restaurant and other hospitality industry employers to clean up their Fair Labor Standards Act (FLSA) wage and hour, H-2B and other workforce compliance.

Popeyes Franchise- $212,000

On February 7, 2024, the Labor Department announced its recovery of $212,000 in Baxley and penalties from California Popeyes franchisee 14th St. Chicken Corp. for violations of federal child labor and wage and hour laws. The WHD says this is the third time that the it has cited the franchisee for violations of the Fair Labor Standards Act

The latest WHD investigation found the Popeyes fast-food chain franchiseedetermined the employer violated the FlSA by shortchanged workers by failing to pay overtime earnings for hours worked over 40 in a workweek.

Additionally, the investigation revealed the franchisee violated child labor rules by hiring children as young as 13-years-old and minors who worked later and longer than permitted by child labor laws at the employer’s three Oakland, Tracy and Newark locations.

Prior violations involved the Oakland and Tracy restaurants in 2003 and 2022, respectively.

For these violations, WHD

  • Recovered $39,826 in unpaid overtime wages and $39,826 in damages for 15 employees;
  • Imposed $121,104 in civil money penalties for child labor violations;
  • Imposed $12,104 in civil money penalties for overtime violations.

In fiscal year 2023, the Wage and Hour Division found child labor violations in more than 950 investigations, resulting in more than $8 million in penalties assessed to employers. on the recoveries.

The announcement warns the Labor Department plans to continue prioritizing child labor law investigations and enforcement quoting Wage and Hour Division Assistant District Director Alberto Raymond as saying:

The U.S. Department of Labor is determined to fight child labor violations in all sectors, including the fast-food industry.”

Sails Restaurant LLC – $184,139

On February 7, 2024, the Labor Department announced its recovery of has recovered $184,139 in back wages and liquidated damages for 56 seasonal guest workers and U.S. workers of a Naples restaurant after finding multiple violations of federal nonimmigrant work program regulations and federal minimum wage and overtime regulations.

The federal H-2B visa program permits U.S. employers to temporarily hire nonimmigrants to perform nonagricultural labor or services. However, the employment must be for a limited, specific period of time, such as a one-time occurrence, seasonal, peak load or intermittent need and the employment must comply with all the conditions for hiring applicable to that program.

The WHD says it’s investigation of Sails Restaurant LLC (Sails) found multiple violations of requirements of the H-2B worker visa program including:

  • Misrepresenting job requirements despite having previously used and knowing the requirements by willfully misrepresenting access to high-paid server positions with unlimited earnings potential when instead no such job existed; promotional positions out of reach for many; and shifting a dining room attendant to another job as a construction laborer;
  • Imposing special experience requirements for H-2B workers to qualify for jobs;
  • Failing to list all qualifications in the job order;
  • Not giving proper notices related to job termination, denying H-2B workers U.S. work status rights;
  • Improperly classifing jobs or excluded job tasks on work orders;
  • Failing to provide job orders or notify workers of their rights; and
  • Not reimbursing visa expenses for H-2B workers, despite being aware of the requirement.

WHD also found Sails violated the Fair Labor Standards Act (FLSA) by illegally keeping the tips of some H-2B and U.S. workers, failing to pay one worker their last paycheck and paying an incorrect overtime rate to tipped employees.

For these violations, WHD required Sales to pay the wrongfully denied wages and assessed $53,536 in civil money penalties.

Wage and Hour Division District Director Nicolas Ratmiroff warned, “Hospitality and food industry employers must understand that regardless of whether the employer is taking a tip credit, employers are prohibited from keeping employee tips or requiring that an employee give their tips to the employer, a supervisor, or manager.

$359,000 Retaliation Judgment

Along with complying with FLSA, child and migrant labor and other rules, employers also are cautioned to avoid retaliation against workers in violation of federal employment laws by first ever federal court order to jointly impose liability against an employer for violation of the FLSA and the Occupational Safety and Health Act (OSH Act).

In a December 15, 2023 judgment, a federal court ordered a Milford sports bar and its owner to pay employees a total of $359,485 in back pay, emotional distress damages, withheld compensation and punitive damages for violating the anti-retaliation provisions of the FLSA and The OSH Act.

The retaliation judgment resulted from a Labor Department lawsuit filed against Milford Sports Bars LLC, doing business as Champions Grill and Bar, and its owner, Loren Drotos, who is also known as Mark Roberts, Mark Drotos and Mark Lawrence.

The suit filed in the U.S. District Court for the District of Connecticut in February, 2022 alleged that in January 2022, the employers threatened an employee who asked the employer to pay him compensation earned then unlawfully terminated employees who participated in an inspection by the Occupational Safety and Health Administration.

The Labor Department also alleged that, after firing employees within days of exercising these federally protected rights, the employers sought to further chill employees from engaging in protected activities and cooperating with federal investigators by sending a message to employees that they should not talk to the Labor Department.

The District Court accepted the Labor Department’s partment’s allegations as true and issued an order granting $6,770 in back pay, $2,715 in withheld wages, $125,000 in emotional distress damages and $225,000 in punitive damages to the affected employees. The court order also prohibits the employers from future violations of the anti-retaliation provisions of the FLSA and OSH Act.

According to Regional Solicitor of Labor Maia Fisher, “The court’s award of $225,000 in punitive damages and over $359,000 in damages overall sends a clear message that the U.S. Department of Labor will not tolerate such behavior.”

Restaurant & Other Hospitality Employers Should Strengthen Compliance & Risk Management

Following on the heels of other similar enforcement actions, these Labor Department actions send a clear signal that restaurant and other hospitality employees should ensure their ability to defend their compliance with the FLSA, H-2B and other foreign labor, OSHA, anti retaliation and other laws enforced by the Labor Department.

The award against Ole Jose Grill & Cantina warns other restaurant and food services employers to use card to properly classify, track hours of work and pay all required wages and overtime.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Wage & Hour Takes Aim At Restaurant & Other Hospitality Employers | Corporate Compliance | Tagged: , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

« Previous Entries
Next Entries »