Health Care Provider |

$2.4M HIPAA Settlement Message Warns Health Plans & Providers Against Sharing Medical Info With Media, Others

May 10, 2017

Healthcare providers, health plans, healthcare clearinghouses and their business associates (Covered Entities) can’t disclose the name or other protected health care information about a patient in press releases or other announcements without prior authorization from the patient. That’s the clear lesson Covered Entities should learn from the $2.4 million payment to the U.S. Department of Health and Human Services (HHS) that the largest not-for-profit health system in Southeast Texas, Memorial Hermann Health System (MHHS) is paying to settle charges it violated the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule by issuing a press release with the name and other protected health information (PHI) about a patient without the patient’s prior HIPAA-compliant authorization under a Resolution Agreement and Corrective Action Plan (Resolution Agreement) announced May 10, 2017 by HHS Office of Civil Rights (OCR).

The Resolution Agreement resolves OCR charges the operator of 13 hospitals, eight Cancer Centers, three Heart & Vascular Institutes, and 27 sports medicine and rehabilitation centers violated the Privacy Rule that resulted from an OCR compliance review of MHHS triggered by multiple media reports suggesting that MHHS improperly disclosed the name and other details about a patient arrested and charged with presenting an allegedly fraudulent identification card to office staff at an MHHS’s clinic after MHHS clinic staff alerted law enforcement of suspicions the patient was presenting false identification to the clinic. According to OCR, after law enforcement investigated and arrested the patient, MHHS published a press release concerning the incident in which MHHS senior management approved the impermissible disclosure of the patient’s PHI by adding the patient’s name in the title of the press release without securing prior authorization of the patient.

While OCR concluded the report to law enforcement allowable under the Privacy Rule, OCR found MHHS violated the Privacy Rule by issuing the press release disclosing the patient’s name and other PHI without authorization from the patient and also by failing to timely document the sanctioning of its workforce members for impermissibly disclosing the patient’s information.

To resolve and avoid the potential Civil Monetary Penalties that HIPAA could authorize OCR to impose for the alleged Privacy Rule violation, MHHS agrees in the Resolution Agreement to pay OCR a $2.4 million monetary settlement and implement a corrective action plan that obligates MHHS to update and train its workforce on its policies and procedures on safeguarding PHI from impermissible uses and disclosures including specific instructions and procedures to:

Address (a) Uses and disclosures for which an authorization is required, including to the media, to public officials, and on the internet; (b) Disclosures for law enforcement purposes; and (c) Uses and disclosures for health oversight activities;
Identify MHHS personnel or representatives whom workforce members, agents, or business associates may contact in the event of any inquiry or concern regarding compliance with HIPAA in relation to these activities;
Internal reporting procedures requiring all workforce members to report to the designated person or office at the earliest possible time any potential violations of the Privacy, Security or Breach Notification Rules or of MHHS’ privacy and security policies and procedures and MHHS promptly to investigate and address all received reports in a timely manner; and
Application and documentation of appropriate sanctions (which may include retraining or other instructive corrective action, depending on the circumstances) against members of MHHS’ workforce, including senior level management, who fail to comply with the Privacy, Security or Breach Notification Rules or MHHS’ privacy and security policies and procedures, including a description of the sanctions; a timeframe in which MHHS will apply and document sanctions for violations of the HIPAA Rules or of MHHS’ privacy, security or breach policies or procedures; the manner in which MHHS will document the sanctions; and where MHHS will store or retain such documentation (e.g., personnel file).

The corrective action plan in the Resolution Agreement also requires all MHHS facilities to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media and others.

Covered entities should keep in mind the MHHS Resolution Agreement is the latest in a series of OCR enforcement actions and resolution agreements highlighting the need for Covered Entities to adopt and use appropriate policies and procedures to prevent wrongful disclosures of PHI to the media or public. For instance, in June, 2013, OCR required Shasta Regional Medical Center (SRMC) to pay a $275,000 settlement payment and implement a comprehensive corrective action plan to resolve OCR charges stemming from SRMC’s disclosure of PHI about a patient to members of the media and its workforce in an effort to respond to accusations the patient made that SRMC engaged in fraud and other misconduct. See HIPAA Sanctions Triggered From Covered Entity Statements To Media, Workforce. In contrast, the $2.2 million resolution agreement that OCR required New York Presbyterian Hospital for improperly allowing a film crew to film hospital patients in violation of HIPAA was almost 10 times greater than the SRMC penalty and was accompanied by OCR’s publication OCR of specific additional guidance warning Covered Entities against improper disclosures to the media. See $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use.

Following on the heels of this previous guidance and prior enforcement actions warning Covered Entities against wrongful disclosure to the media, the MHHS Resolution Agreement sends a strong message to Covered Entities that they should expect little sympathy if their organizations improperly share PHI with the media. OCR’s announcement of the MHHS Resolution Agreement, for instance quotes OCR Director Roger Severino with stating that “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response.” The announcement goes on to quote Director Severino further as stating, “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

Conduct Entity-Wide Risk Assessment & Review & Tighten Media Relations Policies, Processes & Training ASAP

Covered entities should heed the warning by conducting a risk assessment of their organization’s susceptibility to potential improper disclosures to media or others and reviewing and implementing necessary written policies, procedures and training to prevent the improper disclosure of patient PHI to media or others unless the Covered Entity either secures prior HIPAA-compliant authorization from the patient or can prove the disclosure falls squarely under an exception to the Privacy Rule’s prohibition against disclosure of PHI without authorization except as allowed by the Privacy Rule.

Taking these and other needed steps to evaluate, and strengthen and enforce as needed, risk assessments, policies, procedures, and training to prevent wrongful use, access or disclosure of PHI to the media or others is particularly critical in light of the ongoing tightening of expectations, and rising enforcement and sanctions for HIPAA violations since Congress amended HIPAA in 2009. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website.

Based on experiences reported in the MHHS and other similar resolution agreements, Covered Entities also generally will want to ensure that their policies, procedures and training extend to all potential sources of communications that could involve patient information and make clear that the Privacy Rule restrictions must be followed even if the circumstances involve allegations of misconduct, special performance by healthcare providers or others that it would benefit the organization or certain individuals to have known to the public, or other circumstances likely to be of interest to the media or other parties.

As part of this process, covered entities should ensure they look outside the four corners of their Privacy Policies to ensure that appropriate training and clarification is provided to address media, practice transition, workforce communication and other policies and practices that may be covered by pre-existing or other policies of other departments or operational elements not typically under the direct oversight and management of the Privacy Officer such as media relations. Media relations, physician and patients affairs, outside legal counsel, media relations, marketing and other internal and external departments and consultants dealing with the media, the public or other inquiries or disputes should carefully include and coordinate with the privacy officer both to ensure appropriate policies and procedures are followed and proper documentation created and retained to show authorization, account, or meet other requirements.

In conducting this analysis and risk assessment, it will be important that Covered Entities include, but also look beyond the four corners of their Privacy Policies to ensure that their review and risk assessment identifies and assesses and addresses compliance risks on an entity wide basis. This entity-wide assessment should include both communications and requests for information normally addressed to the Privacy Officer as well as requests and communications that could arise in the course of media or other public relations, practice transition, workforce communication and other operations not typically under the direct oversight and management of the Privacy Officer. For this reason, Covered Entities also generally will not only to adopt and implement specific policies, processes and training in these other departments to prohibit and prevent inappropriate disclosures of PHI in the course of those departments operations. It also may be advisable to pre-established processes for reviewing media or other communications for potential PHI content and require prior review of any proposed public relations and other internal or external communications containing patient PHI or other information by the privacy officer, legal counsel or another suitably qualified party.

Because of the high risk that the preparation or review of media or other public communications reports will involve the use and disclosure of PHI, Covered Entities also generally should verify that all outside media or public relations, legal, or other outside service providers participating in the investigation, response or preparation or review of communications to the media or others both are covered by signed business associate agreements that fulfill the Privacy Rule and other requirements of HIPAA as well as possess detailed knowledge and understanding of the Privacy and Security Rules suitable to participate in and help safeguard the Covered Entity against violations of these and other Privacy Rules. See e.g., Latest HIPAA Resolution Agreement Drives Home Importance Of Maintaining Current, Signed Business Associate Agreements.

About The Author

Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 29 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.

Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to manage and defend compliance, public policy, regulatory, staffing and other operations and risk management concerns. A core focus of this work includes work to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; dealings with JCHO and other accreditation and quality organizations; investigation and defense of private litigation and other federal and state health care industry investigations and enforcement; insurance or other liability management and allocation; process and product development; managed care, physician and other staffing, business associate and other contracting; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Author of leading works on HIPAA and other privacy and data security works and the scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with OCR, her experience includes extensive compliance, risk management and data breach and other crisis event investigation, response and remediation under HIPAA and other data security, privacy and breach laws. Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly regarded works and training programs on trade secret, HIPAA and other medical, consumer, insurance, tax, and other privacy and data security, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns.

In connection with this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.

Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has worked closely with a diverse range of physicians, hospitals and healthcare systems, DME, Pharma, clinics, health care providers, managed care, insurance and other health care payers, quality assurance, credentialing, technical, research, public and private social and community organizations, and other health industry organizations and their management deal with governance; credentialing, patient relations and care; staffing, peer review, human resources and workforce performance management; outsourcing; internal controls and regulatory compliance; billing and reimbursement; physician, employment, vendor, managed care, government and other contracting; business transactions; grants; tax-exemption and not-for-profit; licensure and accreditation; vendor selection and management; privacy and data security; training; risk and change management; regulatory affairs and public policy and other concerns.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health plans, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other “nonpar,” insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved. For information about republication or other use, please contact Ms. Stamer here.

Comments Off on $2.4M HIPAA Settlement Message Warns Health Plans & Providers Against Sharing Medical Info With Media, Others | ADA, board of directors, Brokers, Cafeteria Plans, Civil Monetary Penalties, Civil Rights, compliance, conflict of interest, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, directors, Disability Discrimination, Electronic Medical Record, employee, Employee Benefits, Employer, Employers, Employment, EMR, ERISA, Fair Credit Reporting Act, fiduciary duty, GINA, HIPAA, HIPAA, Hiring, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Internal Revenue Code, IRC, Leadership, LGBT, Management, Medicare Part D, Mental Health, Mental Health Parity, MEWA, Physician, Prescription Drugs, Privacy, Professional Liability, Protected Health Information, Provider, Risk Management, Technology, third party administrators, Uncategorized | Tagged: Health Care Provider, Health Plans, HIPAA, Medical Privacy, PHI, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

HHS Claims Average $69/Month Cost for Subsidized Coverage Shows ACA Success Challenged

June 18, 2014

The Department of Health & Human Services (HHS) is touting a new report available here released today that it says people who qualified for tax credits to buy health insurance coverage through the health insurance exchange who selected silver plans, the most popular plan type in the federal Marketplace, paid an average premium of $69 per month. In the federal Marketplace, 69 percent of enrollees who selected Marketplace plans with tax credits had premiums of $100 a month or less, and 46 percent of $50 a month or less after tax credits. The balance of the cost of the coverage is covered via subsidies. Other sources, however, say the data in the report raises concerns about the overall cost of the health care reform law and its impact on the total cost of coverage.

HHS says the report also looks at competition and choice nationwide among health insurance plans in 2013-2014. HHS claims that the report shows most individuals shopping in the Marketplace had a wide range of health plans from which to choose. On average, consumers could choose from five health insurers and 47 Marketplace plans. An increase of one issuer in a rating area is associated with 4 percent decline in the second-lowest cost silver plan premium, on average.

While the HHS report by focusing on what subsidized individuals pay out of pocket spins the data to give the impression that the health care reform law is bringing down health care costs as promised, other sources say the data in the Report raises serious concerns about the overall cost of the health care reform law and the total cost of coverage. While acknowledging that “the generous subsidies” helped consumers receiving subsidies, the Los Angeles Times reports these subsidies coupled with the massive enrollment by individuals qualifying for subsidies raise budgetary concerns. According to the Los Angeles Times article, the reports shows the federal government is on track to spend at least $11 billion on subsidies for consumers who bought health plans on marketplaces run by the federal government, even accounting for the fact that many consumers signed up for coverage in late March and will only receive subsidies for part of the year. However, this total does not count the additional cost of providing coverage to the 1/3 of the 8 million new people who signed up for coverage who bought coverage in states that ran their own marketplaces, including California, Connecticut, Maryland and New York. While Federal officials said subsidy data for these consumers were not available, the Los Angeles Times estimated that if these state consumers received roughly comparable government assistance for their insurance premiums, the total cost of subsidies could top $16.5 billion this year, resulting in budgetary costs “far higher” than the $10 million budgetary cost that the Congressional Budget Office projected subsidies would cost U.S. taxpayers in 2014. See Obamacare subsidies push cost of health law above projections.

For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here. ©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on HHS Claims Average $69/Month Cost for Subsidized Coverage Shows ACA Success Challenged | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: Breach Notification, Health Care, Health Care Provider, Health Plan, HIPAA, HITECH, Medical Privacy | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Compliance & Breach Data Shares Helpful Lessons For Health Plans, Providers and Business Associates

June 11, 2014

Health care providers, health plans and insurers, health care clearinghouses (collectively “Covered Entities”), their business associates, and others concerned about medical privacy regulations or protections should check out two new reports to Congress about breach notifications reported and other compliance data under the Health Insurance Portability & Accountability Act (HIPAA) by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Reviewing this data can help Covered Entities and their business associates identify potential areas of exposures and enforcement that can be helpful to minimize their HIPAA liability as well as to expect OCR enforcement and audit inquiries. Smart covered entities and business associates will include review of these and other reports about compliance and enforcement by OCR and assessment of their processes against this information as a part of their HIPAA compliance and risk management practices.

Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the two new reports discuss various details about HIPAA compliance for calendar years 2011 and 2012. They include the following:

Report to Congress on Breach Notifications, discussing the breach notification requirements and reports OCR received as a result of these breach notification requirements; and
Report to Congress on Compliance with the HIPAA Privacy and Security Rules, summarizing complaints received by OCR of alleged violations of the provisions of Subtitle D of the HITECH Act, as well as of the HIPAA Privacy and Security Rules at 45 CFR Parts 160 and 164 .
Covered entities and their business associates should review the finding reported as part of their compliance practices. Others concerned about medical or other privacy or data security regulations or events also may find the information in the reports of interest.

Under HIPAA, covered entities generally are prohibited from using, accessing or disclosing protected health information about individuals except as specifically allowed by HIPAA, In addition, HIPAA also requires Covered Entities to establish safeguards to protect protected health information against improper access, use or destruction, to afford certain rights to individuals who are the subjects of protected information, to obtain certain written assurances from service providers who are business associates before allowing those service providers to use, access or disclose protected health information when carrying out covered functions for the Covered Entity, and meet other requirements.

The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates. In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.

Enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the HITECH Act since March 26, 2013 and to have updated business associate agreements in place since September 23, 2013. Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

HIPAA Privacy Rule and Sharing Information Related to Mental Health published on
Spanish Language Model Notices of Privacy Practices published on 2/13/14
CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports published on 2/3/14; and
Proposed Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS) published on 1/7/14.

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same. When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

For Representation, Training & Other Resources

Comments Off on HIPAA Compliance & Breach Data Shares Helpful Lessons For Health Plans, Providers and Business Associates | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: Breach Notification, Health Care, Health Care Provider, Health Plan, HIPAA, HITECH, Medical Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Medicare Secondary Payer Mandatory Reporting Threshold Clarified

March 4, 2014

The Centers for Medicare & Medicaid Services (CMS) has revised its guidance in its Non-Group Health Plan (NGHP) User Guide to clarify the reporting threshold for certain liability (including Self-Insurance) Settlements, Judgment Awards, or other Payments under the provisions of the Medicare Secondary Payer Mandatory Reporting Provisions in Section 111 of the Medicare, Medicaid, and SCHIP Extension Act of 2007, 42 U.S.C. 1395y(b)(7)&(b)(8) (the “Secondary Payer Mandatory Reporting Provisions”)

CMS announced revision to the NGHP User Guide in a February 28, 2014 CMS Alert. According to the Alert:

The current mandatory reporting threshold for liability insurance (including self-insurance) Total Payment Obligation to the Claimant (TPOC) is $2000 and over for TPOCs dated on or after October 1, 2013.
The mandatory reporting threshold for liability (including self-insurance) TPOCs dated October 1, 2014 and after is changing from $300 to $1000. If the most recent TPOC Date is on or after October 1, 2014, and the cumulative TPOC Amount is greater than $1000, the TPOC(s) must be reported no later than the end of the RRE’s submission timeframe in the quarter beginning January 1, 2015.
Error code CJ07 has not been updated to reflect this change. Further guidance will be provided at a later date about changes to this error code to coincide with the new reporting threshold of $1000.

CMS reports that these changes will also be applied to the downloadable version of the MMSEA Section 111 Coordination of Benefits Secure Website (COBSW) User Guide, available on the COBSW.

The Secondary Payer Mandatory Reporting Provisions are designed to aid CMS in enforcing rules that require that group health insurance plans and third party liability payments be treated as primary and entitle CMS to subrogate to and recover amounts paid from Medicare from these sources as well as other penalties and interest from beneficiaries, providers, plans and others. For additional information about the Secondary Payer Mandatory Reporting Provisions, see here.

For Representation, Training & Other Resources

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Comments Off on Medicare Secondary Payer Mandatory Reporting Threshold Clarified | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: ACA, Affordable Care Act, Annual Fee, Coordomation of Benefits, Health Care Provider, Health Plan, Insurer, Secondary Payer, Tax | Permalink
Posted by Cynthia Marcotte Stamer

HHS Share Model HIPAA Notices 1 Week Before Deadline For Updating Business Associate Agreements

September 16, 2013

A week before the September 23, 2013 deadline for all health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates to have updated their business associate agreements to comply with the Final Omnibus HIPAA Rule, the Department of Health & Human Services Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) today (September 16, 2013) released Model Notices of Privacy Practices (Notices) for health care providers and health plans to use to communicate with their patients and plan members. With penalties and enforcement continuing to rise, Covered Entities and their business associates should take appropriate steps to review and update their privacy and breach notification policies and procedures, privacy officer appointments, notices of privacy practices, business associate agreements and other HIPAA compliance and risk management documentation, practices, procedures and coverage, breach notification and other HIPAA compliance and risk management practice.

Model HIPAA Notices

Developed collaboratively by ONC and OCR the Notices available here designed in the following three different styles are designed for users to customize to fit their specific needs and practices:

A notice in the form of a booklet;
A layered notice with a summary of the information on the first page and full content on the following pages; and
A notice with the design elements of the booklet, but that is formatted for full-page presentation.

Use of these model Notices is optional. While the agencies designed the Notices to let Covered Entities to use these models by entering some of their own information into the model, such as contact information, and then printing for distribution and posting on their websites, Covered Entities should consult with legal counsel to determine the suitability of the Notices generally for their entity’s use and any customization, if any, that may be recommended or required to a Notice if the Covered Entity decides rely upon a model Notice to prepare its Notice of Privacy Practices. To facilitate any tailoring, the agencies provided a text-only version for Covered Entities wishing only wish to use the content with or without tailoring.

September 23 Business Associate Agreement Update Deadline

September 23, 2013 also is the final deadline established in the Final Omnibus HIPAA Rule for Covered Entities and their business associations to update the business associate agreements required by HIPAA to reflect application of the breach notification, business associate, and many of HIPAA’s requirements to directly cover business associates and other aspects of the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted as part of the American Recovery and Reinvestment Act of 2009. While HHS published a Sample Business Associate Agreement last June to aid Covered Entities and their business associates with understanding the business associate agreement requirements as impacted by the Omnibus Final HIPAA Rule, it also made clear that Covered Entities and their business associates should tailor their business associate agreements to fit their specific circumstances and relationships. OCR National Office and regional officials speaking about their findings about past business associate agreement compliance have indicated that their audit and enforcement activities show widespread compliance issues among Covered Entities and business associates with the original business associate agreements. OCR clearly expects Covered Entities and their business associates to address and resolve these compliance issues going forward.

Covered Entities and their business associates are increasingly at peril if caught violating HIPAA’s Privacy, Security or Breach Notification rules. With the HITECH Act Breach Notification rules now requiring Covered Entities to self-disclose breaches, OCR becomes aware of breaches much more easily. Coupled with the HITECH Act’s increase in sanctions for HIPAA violations, Covered Entities and, beginning September 23, 2013, their business associates face rising risks for violating HIPAA. See, e.g. HHS Settles with Health Plan in Photocopier Breach Case; WellPoint Settles HIPAA Security Case for $1,700,000; Shasta Regional Medical Center Settles HIPAA Security Case for $275,000; Idaho State University Settles HIPAA Security Case for $400,000; and HHS announces first HIPAA breach settlement involving less than 500 patients.

In response to the updated Final Regulations and these expanding HIPAA enforcement and exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable. In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For Help or More Information

If you need assistance responding to HIPAA or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement actions; with 2014 health plan decision-making, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer for help.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer is widely recognized for her extensive work, publications, and thought leadership on HIPAA and other privacy and data security issues. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer’s experience includes extensive work advising, representing and training health plan, health insurance, health IT, health care and other clients on HIPAA and other privacy, data protection and breach and other related matters and represents and advises these and other clients in responding to OCR Privacy and Civil Rights and other HHS agencies, Labor Department, IRS regulations, investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications.

Beyond her HIPAA involvement, Ms. Stamer also continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, HR.com, Insurance Thought Leadership, Solutions Law Press, Inc. and other publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations. She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications. You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Nonexclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.

[*] On January 24, 2013, the Department of Labor (the Department) issued guidance stating the Department’s conclusion that the notice requirement under FLSA section 18B will not take effect on March 1, 2013 for several reasons until further guidance setting the extended deadline was published.

Comments Off on HHS Share Model HIPAA Notices 1 Week Before Deadline For Updating Business Associate Agreements | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: 4980H, ACA, Afffordable Care Act, Breah Notification, Covered Entities, Exchange Notice, Health Care Provider, Health Care Reform, Health Plans, health reform, HIPAA, OCR, Pay or Play, SBC | Permalink
Posted by Cynthia Marcotte Stamer

IRS Publishes Final Health Reform Individual Shared Responsibility Rules

September 1, 2013

Starting in 2014, the Individual Shared Responsibility mandate of the Patient Protection & Affordable Care Act (ACA) dictates that each individual American either have minimum essential coverage for each month, qualify for an exemption, or make a payment when filing his or her federal income tax return. In anticipation of the implementation of this Individual Shared Responsibility mandate, the Department of the Treasury and the Internal Revenue Service (IRS) published final regulations implementing the Individual Shared Responsibility mandate in the Internal Revenue Code. The guidance contained in these final regulations provide each American with critical information about their families’ potential exposure to liability for the individual shared responsibility tax in 2014 as well as key insights for employers. Solutions Law Press, Inc. authors are finalizing various articles on certain key aspects of these new regulations for publication over the next few days. Stay tuned for more details!

For each month beginning after December 31, 2013, Internal Revenue Code Section 5000A’s Individual Shared Responsibility mandate requires that individual Americans either qualify as exempt, maintain minimum essential coverage for themselves and any nonexempt family members, or pay an individual shared responsibility payment when paying their Federal income tax return. A taxpayer will be obligated to pay the individual shared responsibility tax under Internal Revenue Code Section 5000A for any non-exempt individual the taxpayer claims on his or her individual tax return as a dependent who is not exempt or enrolled in minimum essential coverage.

Under § 5000A(f)(2), minimum essential coverage includes coverage under an eligible employer-sponsored plan.

The final regulations set the rules that the IRS will use to decide when an individual American will become liable for paying the tax imposed by ACA for failing to maintain the minimum required health insurance coverage mandated by ACA beginning January 1, 2013 and other related rules. While specifically addressing the obligations of individual Americans to pay the Individual Shared Responsibility payment, the final rules coupled with the availability of the new option for individual Americans to buy coverage through an ACA-qualified federal health care exchange and, depending on the adjusted household income of the individual, potentially also to receive tax credits for enrolling in coverage through an exchange is likely to impact the enrollment choices that employed individuals make about enrolling in coverage offered by their employer versus in coverage through a federally qualified health insurance exchange. Accordingly, both individual Americans and the businesses that employ them should act quickly to understand the key aspects of the final regulations and their implications.

When considering the effect of these final regulations, employers and individual Americans should keep in mind that Notice 2013-42, issued on June 26, 2013, provides limited transition relief from the Individual Shared Responsibility mandate for employees and their families who are eligible to enroll in certain employer-sponsored health plans with a plan year other than a calendar year if the plan year begins in 2013 and ends in 2014. For additional information on the Individual Shared Responsibility provision, the final regulations and Notice 2013-42, see the IRS questions and answers.

Coming slightly less than a month before the October 1, 2013 scheduled opening of the first enrollment period for individual Americans to enroll in health care coverage through a federally qualified health insurance exchange created pursuant to ACA and the deadline for employers to deliver the notice of the availability of this option dictated by Fair Labor Standards Act 18B, the final regulations and Obama Administration’s announced plans to enforce its provisions has drawn criticism from a number of groups. While the Obama Administration has indicated that it still plans to enforce the Individual Shared Responsibility mandate against individual Americans, it announced in July, 2013 that it would delay enforcement of the Employer Shared Responsibility Mandate rules of Internal Revenue Code Section 4980H until 2015. Many consumer rights groups and others are arguing that the Administration should also delay its enforcement of the Individual Shared Responsibility Mandate in light of its delay of enforcement of Internal Revenue Code Section 4980H against businesses. Pending a reversal of its position or Congressional relief, the final regulation signal to individual Americans and their employers to prepare to deal with the new Individual Shared Responsibility Mandate beginning in January, 2014.

While the delay in enforcement of the Section 4980H employer shared responsibility payment until 2015 means that employers will not incur liability for failing to provide coverage meeting the minimum essential coverage, minimum value and affordability standards of Internal Revenue Code Section 4980H, the impending implementation of the Individual Shared Responsibility mandate of Internal Revenue Code Section 5000A and the impending availability of tax credits for certain individuals with Household Adjusted Gross Incomes of less than 400 percent of the poverty level almost certainly will influence enrollment decisions that employees make concerning coverage offered by their employer, if any. Employers can expect that employee choices about enrolling in employer-sponsored group health coverage will be influenced by the impending obligation to enroll in coverage or pay the individual shared responsibility tax in 2014 governed by the final regulations. Employers can expect that employee concern about these exposures will prompt many employees to carefully scrutinize and in some cases question the information and implications of information provided by the employer or its plan such as the Section 18B notice that employers must provide by October 1, 2013, the summary of benefits and coverage (SBC) that the Affordable Care Act obligations the employer or plan to provide as the employees work to sort out their choices. As these and other plan communications are likely to face significant scrutiny, employers and their employee benefit plan fiduciaries and administrators should use extra care to ensure that these and other plan documents and communications are carefully and precisely tailored to accurately convey all material plan terms.

For Help or More Information

If you need help understanding or dealing with these impending notification requirements, with other 2014 health plan decision-making or preparation, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

Nonexclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on IRS Publishes Final Health Reform Individual Shared Responsibility Rules | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: 4980H, ACA, Afffordable Care Act, Breah Notification, Covered Entities, Exchange Notice, Health Care Provider, Health Care Reform, Health Plans, health reform, HIPAA, OCR, Pay or Play, SBC | Permalink
Posted by Cynthia Marcotte Stamer

Impending 10/1 Exchange Notice & Other New Notice Deadlines Cut Time Short For Employers To Finalize 2014 Health Plan Terms & Contracts

August 21, 2013

Employer and union group health plan sponsors and insurers of group and individual health plans (Health Plans) agonizing over 2014 plan design decisions are running out of time. Impending deadlines to update and deliver the initial Exchange Notice by October 1, 2013, the Summary of Benefits and Communications (SBC) disclosure before their next enrollment period begins, and 60-day prior notice of material reductions in benefits or services under the plan mandated by the Patient Protection and Affordable Care Act (ACA) require employers or other sponsors to finalize design decisions and amendments well in advance of January 1, 2014. These new notification obligations create added urgency and pressure for Health Plans and their employer and other sponsors to finalize and implement their decisions on their Health Plans 2014 plan designs and coverages and make the necessary determinations to prepare and timely deliver the required notifications in accordance with these new notification mandates well before the start of the 2014 plan year or its enrollment period. Employers who in the past have put off these decisions until the last month of the plan year no longer can legally do so.

ACA Exchange Notices Due By October 1

One of the biggest time constraints for finalizing 2014 plan designs, contracts and terms is the impending October 1, 2014 deadline for employers to provide the notice required by Fair Labor Standards Act Section 18B.

Regardless of if the employer sponsors a health plan or when the next plan enrollment period begins, all employers covered by the FLSA generally are required deliver a notice to employees about the new option beginning January 1, 2014 to get health care coverage through a health care exchange (now rebranded by the Obama Administration as a “Marketplace”)(Marketplace) created by ACA that meets the requirements of new FLSA Section 18B enacted Section 1512 of ACA.

Absent a delay or other reprieve from the Obama Administration or Congress, Open enrollment for health insurance coverage through the Marketplace begins October 1, 2013. Individuals and employees of small businesses beginning October 1, 2013 can apply for and, beginning January 1, 2014 to buy health care coverage offered through the Marketplace established under ACA for their state (including the Federal Marketplace for states that did not elect to establish their own Marketplace). Some individuals who earn less than 400% of the federal poverty level and meet certain other conditions also are slated to qualify to receive federal subsidies that will pay all or part of the cost of buying coverage through a Marketplace.

To promote awareness among employees of the Marketplace as an option for getting health coverage, creates a new FLSA Section 18B requiring a notice (Exchange Notice) to employees of coverage options available through the Marketplace. Originally required by March 1, 2013,[*] the Department of Labor (DOL) extended the deadline for providing the Exchange Notice to October 1, 2013. Employers must provide a notice of coverage options to each employee, regardless of plan enrollment status (if applicable) or of part-time or full-time status. Employers are not required to provide a separate notice to dependents or other individuals who are or may become eligible for coverage under the plan but who are not employees.

All FLSA-Covered Employers Must Provide Exchange Notices Beginning October 1, 2013

Under FLSA Section 18B of the FLSA, each applicable employer must provide each employee at the time of hiring (or with respect to current employees, by October 1, 2013), a written notice that fulfills the applicable Exchange Notice requirements as set forth in the DOL Regulations.

The FLSA section 18B requirement to provide a notice to employees of coverage options applies to all employers subject to the FLSA. In general, the FLSA applies to employers that employ one or more employees who are engaged in, or produce goods for, interstate commerce. For most firms, a test of not less than $500,000 in annual dollar volume of business applies. The FLSA also specifically covers the following entities: hospitals; institutions primarily engaged in the care of the sick, the aged, mentally ill, or disabled who reside on the premises; schools for children who are mentally or physically disabled or gifted; preschools, elementary and secondary schools, and institutions of higher education; and federal, state and local government agencies. Employers questioning whether their business is subject to the FLSA should seek the assistance of legal counsel experienced with the FLSA.

Timing and Delivery of Notice

Employers are required to provide the Exchange Notice to each new employee at the time of hiring beginning October 1, 2013. For 2014, the Department will consider a notice to be provided at the time of hiring if the notice is provided within 14 days of an employee’s start date.

For employees who are current employees before October 1, 2013, employers must provide the Exchange Notice no later than October 1, 2013.

The Exchange Notice must be provided in writing in a manner calculated to be understood by the average employee. Employers may deliver the Exchange Notice by first-class mail or, if the electronic notification requirements of the Department of Labor’s electronic disclosure safe harbor at 29 CFR 2520.104b-1(c) are met, electronically.

Required Content of Exchange Notice

The Exchange Notice content mandated by FLSA Section 18B is fairly limited. Section 18B requires that the Exchange Notice only dictates three required elements:

Inform employees of coverage options, including information about the existence of the new Marketplace as well as contact information and description of the services provided by a Marketplace;
Inform the employee that the employee may be eligible for a premium tax credit under Section 36B of the Code if the employee purchases a qualified health plan through the Marketplace; and
Include a statement informing the employee that if the employee purchases a qualified health plan through the Marketplace, the employee may lose the employer contribution (if any) to any health benefits plan offered by the employer and that all or a portion of such contribution may be excludable from income for Federal income tax purposes. At minimum, this generally requires that the Exchange Notice distributed by an employer must inform the employee.

Interim DOL guidance implementing these requirements construes the content requirements as requiring that the Exchange Notice tell the employee:

Of the existence of the Marketplace (referred to in the statute as the Exchange) including a description of the services provided by the Marketplace, and the way the employee may contact the Marketplace to request assistance;
That the employee may be eligible for a premium tax credit or subsidy under Section 36B of the Internal Revenue Code (the Code) if the employee purchases a qualified health plan through the Marketplace and the employer does not offer coverage to the employee under a group health plan that is considered to provide “Minimum Value” for purposes of ACA; and
That if the employee purchases a qualified health plan through the Marketplace, the employee may lose the employer contribution (if any) to any health benefits plan offered by the employer and that all or a portion of such contribution may be excludable from income for Federal income tax purposes.

Allow Adequate Time To Do Analysis, Complete Other Steps To Prepare Exchange Notices

Employers should resist the urge to allow the shortness of the list of information required that FLSA Section 18B requires in the Exchange Notice lure them into underestimating the time and effort required to prepare the Exchange Notification. For many employers, determining if the Health Plan provides Minimum Value can be time-consuming and complex.

For this, the SBC notice discussed later in this update and other purposes, Code Section 36B(c)(2)(C)(ii) provides that an employer-sponsored Health Plan provides Minimum Value if the ratio of the share of total costs paid by the Health Plan relative to the total costs of covered services is no less than 60% of the anticipated covered medical spending for covered benefits paid by a group health plan for a standard population, computed in accordance with the plan’s cost-sharing, and divided by the total anticipated allowed charges for covered benefits provided to a standard population is no less than 60%. See Patient Protection and ACA: Standards Related to Essential Health Benefits, Actuarial Value, and Accreditation Regulation.

Existing regulations require the employers to get an actuarial certification to determine if its Health Plan provides Minimum Value unless the employer can show that the Health Plan fits the criteria to use and satisfies this test using either the Minimum Value Calculator or an applicable safe harbor design approved by HHS, Treasury and DOL. These determinations often are time consuming and complex requiring careful review and analysis of the group health plan coverage and benefits. Many self-insured or other group health plans have plan designs that prevent the employer from relying on the Minimum Value Calculator or design safe harbors. If the employer cannot rely upon the Minimum Value Calculator or one of the design safe harbors, an actuarial certification will be needed. Employers need to allow sufficient time to make these determinations in time to complete and deliver the Exchange Notices.

Employers should particularly expect to need to obtain an actuarial certification to determine if the Health Plan provides Minimum Value determination if the Health Plan is taking advantage of temporary relief from the cost sharing limitations of ACA for 2014 announced by the Obama Administration in February and reconfirmed in July, that for 2014 allows Health Plans to apply a separate ACA-compliant out-of-pocket maximum to prescription drug benefits from the ACA-compliant out-of-pocket maximum applied to all other benefits subject to ACA’s cost sharing restrictions. Since the Minimum Value Calculator cannot take into account this option, however, employers planning to apply a separate out-of-pocket maximum for prescription drug coverage versus other plan benefits should be prepared to get an actuarial certification of whether the plan provides Minimum Value.

DOL Model Exchange Notices Not Panacea

Employers may want to use some or all of the language that the DOL included in Model Notices that DOL published in conjunction with its publication of interim guidance on FLSA Section 18B in Technical Release No. 2013-02 on May 8, 2013 here. Because employers must tailor the content of the Exchange Notice for their group health plan based on specific information about their group health plan, employers are cautioned not to underestimate the time or effort that will be required to properly prepare the Exchange Notice for their group health plan, whether or not the employer makes use of the Model Notices in whole or part.

DOL published three model exchange notices (Model Notices) to assist employers in preparing the Exchange Notice for their Health Plan for 2014. One Model Notice is intended for employers who do not offer a Health Plan. The second Model Notice is designed for employers who offer a health plan to some or all employees. The third Model Notice is designed for employers to use to notify individuals who are enrolled or eligible to enroll in continuation coverage under the Health Plan under the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA). Technical Release No. 2013-02 says employers may use the applicable of these models or a modified version, provided the Exchange Notice meets the content requirements described above.

Despite the availability of these Model Notices, preparing and providing the required Exchange Notices required by Section 18B typically requires significant evaluation and presents a variety of challenges for most employers. While intended to facilitate the ability of employers to prepare and provide the required Exchange Notices, preparing the Model Notices generally is challenging for many employers.

First, even using the Model Notices, the employer must decide if the Health Plan provides Minimum Value.

Another challenge with wholesale use of the Model Notices involves deciding how much of the optional language contained in the Model Notices to include in the Exchange Notice and what optional information, if any, to provide as part of that Notice.

For one thing, the Model Notices propose that the Exchange Notice include statements that many critics view as inappropriately promoting enrollment in coverage through the Marketplace rather than employer sponsored group health plans. Critics complain, for instance that the Model Notice’s statement that the Marketplaces offer “one-stop shopping” that allows the employee to get coverage that the Model Notice states is more “affordable” are inaccurate or misleading. Many critics view the assertion that coverage obtained through the exchange is more “affordable” to be inaccurate as it does not take into account a comparison of the actual benefits and costs of the respective plan options and whether the employee can afford the typically richer (and therefore often more expensive) benefit packages ACA’s essential health benefits mandates require be included in coverage offered for sale through the Marketplaces and presumes that these higher costs will be defrayed by tax credits or subsidies that are only available if the employee earns less than 400% of the federal poverty level and is not offered the option to enroll in an employer sponsored group health plan coverage that provides “minimum essential coverage” (MEC) and Minimum Value and is “affordable” within the meaning of ACA.

Employers considering using the Model Notices also need to decide if their Exchange Notices will include the optional factual disclosures about their group health plan suggested in the Model Notices, but not required to fulfill the requirements of FLSA Section 18B.

The Model Notices propose that an employer also voluntarily provide a significant amount of other information about its group health plan that FLSA Section permits, but does not require that the Exchange Notice include. The DOL says it designed the Model Notices to help employers to identify and disclose information that the DOL expects employees interested in the tax credit to subsidize the employee’s cost of enrolling in coverage through the Marketplace will need to get from employers to show eligibility. DOL assumes that many employers might want to voluntarily provide this information in the Exchange Notice to avoid receiving a multitude of anticipated inquiries from employees interested seeking tax credits to subsidize their enrollment in coverage through the Marketplace. Since collection the data necessary to make these optional disclosures can add significant complexity and time to the preparation of the Exchange Notice, employers should carefully weigh the pros and cons of making the optional disclosures. The anticipated demand for this information has declined since the Obama Administration announced it plans to use an “honor system” approach to determine if individuals can claim eligibility for tax credit subsidies for buying coverage through the Marketplaces in 2014. Meanwhile, the interim nature of the existing guidance on the Exchange Notice and other key aspects of ACA make it reasonable to expect further changes in the expected content of the Exchange Notice, ACA requirements that it is intended to communicate or both which could impact the need for or accuracy of these disclosures. For this reason, employers should carefully consider whether and what optional disclosures to include in their Exchange Notices.

Don’t Forget To Notify COBRA Qualified Beneficiaries

Technical Release No. 2013-02 indicates that in addition to sending an Exchange Notice to employees, employers or their group health plan administrators also must notify COBRA eligible or enrolled individuals.

In general, under COBRA, an individual who was covered by a group health plan on the day before a qualifying event occurred may be able to elect COBRA continuation coverage upon a qualifying event (such as termination of employment or reduction in hours that causes loss of coverage under the plan). Individuals with such a right are called qualified beneficiaries. A group health plan must provide qualified beneficiaries with an election notice, which describes their rights to continuation coverage and how to make an election. The election notice must be provided to the qualified beneficiaries within 14 days after the plan administrator receives the notice of a qualifying event.

Technical Release No. 2013-02 says that the DOL considers the required disclosures for the Exchange Notice information to be disclosed to qualified beneficiaries and that the DOL is revising previously published model COBRA notices to incorporate this information.

DOL says in Technical Release No. 2013-02 that the group health plans can use the revised model COBRA election notice to satisfy the requirement to provide the election notice under COBRA including the disclosure of information required by FLSA Section 18B. The DOL cautions that as with the earlier model COBRA notices, in order to use this model election notice properly, the plan administrator must complete it by filling in the blanks with the appropriate plan information. Technical Release 2013-02 states that use of the model election notice, appropriately completed, will be considered by the Department of Labor to be good faith compliance with the election notice content requirements of COBRA.

ACA SBC Mandate Overview

In addition to the Exchange Notice requirement, the need to prepare and timely delivery the “Summary of Benefits and Coverage or “SBC”) required by ACA also pressures employers to finalize their health plan terms and contracts for 2014 as soon as possible.

ACA amended the Public Health Services Act (PHS) Section 2715, Employee Retirement Income Security Act (ERISA) Section 715 and the Internal Revenue Code (Code) Section 9815 to require that Health Plans and health insurance issuers provide a SBC and a “Uniform Glossary” that “accurately describes the benefits and coverage under the applicable plan or coverage” in a way that meets the format, content and other detailed SBC standards set for ACA as implemented by the Departments regulatory guidance. Like the Exchange Notice, proper preparation of the SBC requires determination of whether the Health Plan provides Minimum Value, as well as other detailed analysis of the plan terms and coverages to complete the other disclosures required in the SBC.

The Summary of Benefits and Coverage and Uniform Glossary Final Regulation (Final Regulation) implementing this requirement published February 14, 2012 generally requires Health Plans at specified times including before the first offer of coverage under the Plan as well as following certain material changes to the Plan. For Health Plans providing group health plan coverage, FAQs About ACA Implementation (Part VII)[*] set the deadline for Health Plan to deliver a SBC as follows, while at the same time indicating that the Departments would not impose penalties on plans and issuers “working diligently and in good faith” to provide the required SBC content in an appearance consistent with the Final Regulations:

To covered persons enrolling or re-enrolling in an open enrollment period (including late enrollees and re-enrollees) as the first day of the first open enrollment period that begins on or after September 23, 2012; and
For individuals enrolling in coverage other than through an open enrollment period (including individuals who are newly eligible for coverage and special enrollees) as the first day of the first plan year that begins on or after September 23, 2012. See FAQs About ACA Implementation (Part VIII).

While the SBC doesn’t prohibit an employer from amending its Health Plan terms after the enrollment period begins, employers that change Health Plan terms or designs after distributing a SBC must incur the expense and effort to prepare and redistribute an updated SBC. Accordingly, most Health Plans and their sponsors or insurers will want to finalize Health Plan terms before the enrollment period begins to avoid the need to and expense of sending updated SBCs as a result of a later change in Health Plan terms.

The Final Regulation and other existing guidance generally dictates that Health Plans follow a required template for providing the SBC and accompanying glossary. When publishing the Final Regulation, the Departments also published the required SBC template form (2013 SBC Template) and instructions for Health Plans to use to prepare and provide the required SBC for coverage beginning before January 1, 2014 and promised updated guidance and templates for use in providing SBCs for post-2013 coverage. While the Agencies clarified certain other details about the SBC rules, they did not materially change the required content or form of the 2013 SBC Template until their April 23, 2013 release of FAQs About ACA Implementation (Part XIV). See e.g. FAQs About ACA Implementation Part IX and Part X.

FAQ Part XIV Requires MEC and Minimum Value Disclosures In SBC

FAQs About ACA Implementation (Part XIV) published April 23, 2013 announces the updated required 2014 SBC Template that the Agencies are requiring to SBCs for periods of health coverage from January 1, 2014 to December 31, 2014. Along with the 2014 SBC Template, the Agencies also published 2014 Sample Completed SBC, which provides an example of a SBC completed for a hypothetical health plan prepared by the Agencies.

The 2014 SBC Template updates the 2013 SBC Template and Sample Completed Template to add information the Agencies believe individuals eligible for Health Plan coverage should know in light of the impending implementation of the individual shared responsibility requirements of Internal Revenue Code (Code) Section 5000A and the employer shared responsibility rules of Code Section 4980H commonly called ACA’s “pay-or-play” rules. These were the “penalty” provisions that the Supreme Court ruled are taxes in 2013.

The April 23, 2013 FAQ expressly requires that SBCs for periods of coverage after December 31, 2013 disclose if the Health Plans provide MEC and Minimum Value to enable participants and beneficiaries to understand if enrollment in the Health Plan will suffice to allow the employee to avoid paying the individual penalty under Code Section 5000(a)’s individual “shared responsibility” rules, to compare the coverage and costs to enroll in the employer’s Health Plan versus to enroll in health care coverage through a Marketplace and to predict how their eligibility for enrollment in the employer’s Health Plan will impact their eligibility to qualify to claim tax credits under Code Section 32G to help subsidize the cost to purchase coverage through a Marketplace.

Code Section 5000A generally imposes a penalty tax on individuals that fail to maintain enrollment in MEC within the meaning of Code Section 5000A(f) and not otherwise exempt under Code Section 5000A(d). As of the publication of this update, the Obama Administration has not announced any delay in the enforcement of this penalty against individuals, but legislation is pending in Congress that would delay its applicability, along with approving the delay of enforcement of the Code Section 4980H penalties previously announced by the Obama Administration.

Although the Obama Administration announced in early July, 2013 that it will not enforce collection of the Code Section 4980H provisions against employers until 2015, Code Section 4980H generally requires employers of 50 or more full-time employees to pay a penalty if the employer fails to offer a group health plan providing MEC and Minimum Value Minimum Value is determined for this purpose in the same manner that it is determined for purposes of making the required disclosure in the Exchange Notice.

60-Day Advance Notice of Material Changes Requirement

In addition to providing the required Exchange Notice and SBCs, employers, group health plans and their plan administrators also must ensure that participants and beneficiaries are given at least 60 days prior notice before the effective date of any “material reduction in covered services or benefits.” See 29

CFR Section 2520.104b-3(d)(3); also see 29 CFR Section 2520.104b-3(d)(2) regarding a 90-day alternative rule.

Section 102 of ERISA has been amended to require 60-day advance notice of material plan changes for plan years beginning on or after September 23, 2012 before the change can be effective. The 60-day advance notification requirement is a modification to the summary plan description/summary of material modification requirements generally applicable to employee benefit plans under ERISA.

The rule’s definition of “material modification” is the same as the definition in the summary of material modifications rule generally applicable to employee benefit plans under ERISA Section 102.

DOL guidance indicates that group health plans can meet the 60-day advance notice requirement by providing an updated Summary of Benefits and Coverage if the change is reflected on the summary or by sending a separate written notice describing the material modification.

Group health plan issuers or sponsors that willfully (intentionally) fail to provide the notice of material modification can face a fine of up to $1,000 for each failure. Each covered individual equates to a separate offense for purposes of these penalties.

Employer and other group health sponsors, issuers, fiduciaries and administrators also should keep in mind that courts historically refuse to enforce reductions in benefits or services provided under the plan until participants and beneficiaries are notified of the change. For purposes of the ERISA notification rules, group health plans, their sponsors, insurers, administrators and fiduciaries are cautioned to take into account whether health care providers or other parties who have assignments of benefits should be provided with notification under these or other ERISA rules in addition to the employees and dependents who are enrolled in coverage under the group health plan.

Notice Deadlines Mean Time Short To Adopt & Communicate 2014 Plan Terms

Employer and other health plan sponsors, insurers, administrators and others involved in 2014 group health plan decisions and preparations must take into account these notification deadlines and allow adequate lead time to properly finalize, adopt and communicate their 2014 health plan terms.

Since group health plan design decisions must be finalized to properly prepare the Minimum Value disclosures required in the Exchange Notice and the SBC and any material reductions required by the 60-day advance notice requirement, time running short to finalize 2014 plan designs.

Employer and other plan sponsors, fiduciaries, administrators, and insurers are cautioned that their preparations should ensure both the necessary disclosures are made and that all disclosures are carefully prepared so that the notifications and the plan terms are consistent.

These preparations should include the critical review and coordination of the language of health plan documents and summary plan descriptions in light of these other notifications to identify and address potential differences between the government-mandated terms and language in the Glossary and SBC, the Exchange Notice and 60-day notice and the plan terms and summary plan description.

Arrangements also must include proper structuring and formatting of all of these documents and timely distribution in accordance with applicable regulations to participants and beneficiaries entitled to receive these documents in a manner that positions the employer, the group health plan and its fiduciaries and insurers to show compliance. In regard to distributions, parties planning to distribute notifications electronically need to ensure that any electronic or other methods of distribution meet applicable requirements and that the Health Plans timely send copies to all entitled parties – employees and dependents – in accordance with the applicable rules.

When planning these activities, group health plans, their sponsors, insurers and administrators also generally will want to minimize distribution costs by coordinating distribution of these ACA mandated notices with other notifications required for group health plans about privacy, coverage for newborns and mothers, mental health coverage, post-mastectomy reconstructive surgery and the like.

For Help or More Information

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

Nonexclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on Impending 10/1 Exchange Notice & Other New Notice Deadlines Cut Time Short For Employers To Finalize 2014 Health Plan Terms & Contracts | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: 4980H, ACA, Afffordable Care Act, Breah Notification, Covered Entities, Exchange Notice, Health Care Provider, Health Care Reform, Health Plans, health reform, HIPAA, OCR, Pay or Play, SBC | Permalink
Posted by Cynthia Marcotte Stamer

Health Plan Pays $1.2M+ HIPAA Settlement For Not Protecting PHI On Copiers

August 15, 2013

Affinity Health Plan, Inc. (Affinity) will pay $1,215,780 and take other corrective actions to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules under the Affinity Resolution Agreement and CAP (Affinity Settlement) with the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR). The settlement comes as the September 24, 2013 deadline for health plans, health care providers, health care clearinghouses (Covered Entities) and their business associates to update the written business associate agreements that HIPAA requires exist before business associates can be allowed to create, use, access or disclose personally identifiable health care information protected by HIPAA (PHI) to carry out HIPAA-covered functions on behalf of a Covered Entity to comply with changes to HIPAA’s implementing regulations adopted by OCR earlier this year. Health plans and other Covered Entities should take timely action to confirm that their existing procedures appropriate safeguards to protect PHI when using or disposing of copiers or other equipment or media as well as to implement business associate or other policy, procedures or training updates required to comply with the updated HIPAA rules.

HIPAA Updates Require Breach Notification, Tightened Other HIPAA Requirements

HIPAA generally requires that Covered Entities (and after September 24, 2013, their business associates) safeguard and restrict the use, access or disclosure of PHI as required by HIPAA. The HITECH Act amended these requirements to tighten certain of these requirements and restrictions, to expand the sanctions for violation of these requirements, to require Covered Entities and their business associates to provide notification of breaches of unsecured PHI to individuals whose information was breached, OCR and in some cases, the media, and made certain other changes to the original requirements of HIPAA. Earlier this year, OCR amended and restated its original Privacy and Security Rules here (2013 Final Rule) to comply with changes in the regulations resulting from these HITECH Act amendments beginning last March, but set the deadline for updating business associate agreements to meet these updated requirements at September 23, 2013.

The 2013 Final Rule and other OCR guidance makes clear that OCR expects Covered Entities and their business associates appropriately to safeguard PHI stored in computers, hard drives, and other digital media until it is properly disposed in accordance with the updated standards required by HIPAA as implemented under the 2013 Final Rule. HITECH Breach Notification Rule requires HIPAA-covered entities to tell HHS of a breach of unsecured protected health information, including breaches resulting from failure to properly secure PHI stored in digital format until it has been destroyed in accordance with the standards established by the 2013 Final Rule. OCR previously has sanctioned other Covered Entities for failed to properly destroy or safeguard PHI stored in digital format on computer or other equipment before abandoning or disposing of that equipment. The Affinity Settlement reaffirms OCR’s concern that Covered Entities meet these disposal requirements when replacing or abandoning equipment containing electronic PHI.

Affinity Settlement Highlights

According to the August 14, 2013 OCR announcement of the settlement, the settlement resulted from an investigation initiated after Affinity filed a breach report with OCR on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act.)

In its breach report, Affinity indicated that a representative of CBS Evening News told Affinity that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity. CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.

Affinity estimated in its breach report that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives. In addition, OCR reports its investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

In addition to the $1,215,780 payment, the Affinity Settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.

Learn From Affinity Lesson On Proper Disposal Procedures

Like prior OCR settlements stemming from inadequate security for PHI when transitioning equipment, media or facilities, the Affinity Settlement sends another reminder to Covered Entities and their business associates again of the importance of using appropriate procedures to protect or dispose of PHI when replacing or redeploying equipment or media that may contain PHI.

“This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said OCR Director Leon Rodriguez. “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”

OCR has published guidance concerning HIPAA’s requirements for the proper safeguarding and disposal of media and equipment in the 2013 Final Rule and other guidance. Concerning the proper disposition of copiers that may have PHI stored on their hard drives or in other digital formal, OCR in the Affinity Settlement recommended that Covered Entities and their associates also review the Federal Trade Commission’s Guidance On Safeguarding Sensitive Data Stored In The Hard Drives Of Digital Copiers and the National Institute of Standards and Technology has issued Guidance On Assessing The Security Of Multipurpose Office Machines. Covered Entities and their business associates should use this and other guidance to ensure that they can demonstrate that appropriate practices and procedures have been used to when disposing of or repurposing copies or other equipment that may contain electronic PHI.

HIPAA Regulation Updates Require Other Updates Beyond Disposal Procedures

In addition to addressing the concerns that lead to the Affinity Settlement, Covered Entities and their business associates also should verify that their practices, policies, privacy notices, business associate agreements, and training also are updated to comply with updates to the updated 2013 Final Rule adopted by OCR earlier this year here.

Since passage of the HITECH Act, OCR officials have warned Covered Entities to expect an omnibus restatement of its original regulations. While OCR had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to its HIPAA Rules. The 2013 Regulations published today fulfill that promise by restating OCR’s HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR’s interpretation and enforcement of HIPAA.

For Help or More Information

If you need help monitoring or providing input on this legislation or to understand and respond to these or other legislation, laws and regulations, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters including extensive experience on HIPAA and other privacy and data security issues. Author of numerous prominent publications on HIPAA and other data security and privacy concerns impacting health plans, health care providers, employers, financial services providers and others, Ms. Stamer also serves as the scribe for the ABA JCEB annual Technical Sessions meeting with OCR and has represented numerous health plans, employers, health care providers and others in investigating, redressing, reporting data breach, identity theft and other compliance concerns.

She advises clients on, publishes, and speaks on HIPAA and other health plan, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations. She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications. You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Comments Off on Health Plan Pays $1.2M+ HIPAA Settlement For Not Protecting PHI On Copiers | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: 4980H, ACA, Afffordable Care Act, Breah Notification, Covered Entities, Health Care Provider, Health Care Reform, Health Plans, health reform, HIPAA, OCR, Pay or Play, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

OCR 1st HIPAA Privacy, Security & Breach Notification Compliance Audits Begin

November 9, 2011

The kickoff of a new compliance audit pilot program provides another reason for health care providers, health plans, healthcare clearinghouses and their business associates to get serious about compliance with the privacy, security and data breach requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

OCR Pilot Audit Program Begins

On November 8, 2011, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) announced that it will begin auditing HIPAA compliance this month under a new pilot program.

As amended by the American Recovery and Reinvestment Act of 2009 in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to make sure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To carry out this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance between November 2011 and December 2012.

The commencement of OCR HIPAA compliance audits is yet another sign that covered entities and their business associates should get serious about HIPAA compliance. The audit program serves as a new part of OCR’s health information privacy and security compliance program. While OCR says that it presently views the pilot audits as primarily a compliance improvement tool, this does not mean violators should expect a free walk.

Even before the impending audits, HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. Earlier this year, OCR imposed a $4.3 Million Civil Money Penalty (CMP) against Cignet Health of Prince George’s County (Cignet) for violating HIPAA. Meanwhile, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. Under amendments made by the HITECH Act, state attorneys general also now are empowered to bring civil lawsuits against covered entities and business associates that commit HIPAA violations that injure citizens in their state under certain circumstances. Eventually, individuals injured by HIPAA violations also will get the right to share in a portion of certain HIPAA recoveries.

These and other audit and enforcement activities send a strong message that covered entities and their business associates need to get serious about HIPAA compliance. As stated by OCR Director Georgina Verdugo when announcing the Mass General Resolution Agreement, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” Verdugo added, “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.” Learn more here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

Vice President of the North Texas Health Care Compliance Professionals Association, a member of the American College of Employee Benefit Counsel, Past Chair of the ABA RPTE Employee Benefits & Other Compensation Arrangements Group, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies. Ms. Stamer also regularly helps clients deal with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. Her insights on the required “culture of compliance” with HIPAA are frequently included in medical privacy related publications of the Atlantic Information Service, Modern Health Care, HealthLeaders and many others. Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here or may contact her at (469) 767-8872 or via e-mail here.

You can review other selected publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at www.solutionslawpress.com.

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Comments Off on OCR 1st HIPAA Privacy, Security & Breach Notification Compliance Audits Begin | Data Security, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, Health Plans, Human Resources, Internal Controls, Internal Investigations, Patient Empowerment, Privacy, Tax | Tagged: Data Breach, Health Care Provider, Health Plans, HHS, HIPAA, OCR, Privacy, Privacy Rules | Permalink
Posted by Cynthia Marcotte Stamer

OCR’s McAndrew Speaks At 5/16 JCEB HIPAA Teleconference; OCR/NIST To Share Other HIPAA Training On Line

May 10, 2011

The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) are making presentations from the 4th annual conference on “Safeguarding Health Information: Building Assurance through HIPAA Security” co-hosted in Washington, D.C. on May 10 & 11, 2011 available on line for review. The training is part of a series of continuing efforts by the agencies to outreach to various parties on the Privacy and Security Rules of the Health Insurance Portability & Accountability Act of 1996, as amended (HIPAA). Meanwhile, OCR’s Susan McAndrew is scheduled to share insights on OCR’s HIPAA regulatory and enforcement agenda at a teleconference to be hosted by the American Bar Association Joint Committee on Employee Benefits at Noon Central on May 16, 2011.

The Security Rule sets federal standards to protect the confidentiality, integrity and availability of electronic protected health information by requiring HIPAA covered entities and their business associates to implement and maintain administrative, physical and technical safeguards. Presentations cover a variety of current topics including updates on HHS health information privacy and security initiatives, OCR’s enforcement of health information privacy and security activities, integrating security safeguards into health IT and security automation, insider threat trends and safeguards, and more.

The conference is designed to explore the current health information technology security landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the agencies share their practical strategies, tips and techniques for implementing the HIPAA Security Rule.

For details about reviewing the May 10-11 presentations, see the 2011 HIPAA Conference website here. For details about the May 16 teleconference, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, On May 3, 2011, Ms. Stamer served as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR and will moderate a teleconference featuring comments by OCR’s Susan McAndrew for the Joint Committee on Employee Benefits scheduled for May 16. Her insights on the required “culture of compliance” with HIPAA also recently were quoted in medical privacy related publications of the Atlantic Information Service. Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.

Comments Off on OCR’s McAndrew Speaks At 5/16 JCEB HIPAA Teleconference; OCR/NIST To Share Other HIPAA Training On Line | Data Security, GINA, Health Plans, HIPAA, Human Resources, Privacy, Uncategorized, Wellness Programs | Tagged: Health Care, Health Care Provider, Health Plans, HIPAA, OCR, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

$2.4M HIPAA Settlement Message Warns Health Plans & Providers Against Sharing Medical Info With Media, Others

HHS Claims Average $69/Month Cost for Subsidized Coverage Shows ACA Success Challenged

HIPAA Compliance & Breach Data Shares Helpful Lessons For Health Plans, Providers and Business Associates

Medicare Secondary Payer Mandatory Reporting Threshold Clarified

HHS Share Model HIPAA Notices 1 Week Before Deadline For Updating Business Associate Agreements

IRS Publishes Final Health Reform Individual Shared Responsibility Rules

Impending 10/1 Exchange Notice & Other New Notice Deadlines Cut Time Short For Employers To Finalize 2014 Health Plan Terms & Contracts

Health Plan Pays $1.2M+ HIPAA Settlement For Not Protecting PHI On Copiers

OCR 1st HIPAA Privacy, Security & Breach Notification Compliance Audits Begin

OCR’s McAndrew Speaks At 5/16 JCEB HIPAA Teleconference; OCR/NIST To Share Other HIPAA Training On Line

Email Subscription

Pages

Recent Posts

Archives

Share this blog

Blogroll

Solutions Law

Solutions Law Press HR & Benefits Update