Learn Key Lessons From $3.2M+ Children’s HIPAA CMP

February 2, 2017

just-announced $3.2 million Health Insurance Portability & Accountability Act (HIPAA) Civil Monetary Penalty (CMP) paid by Children’s Medical Center of Dallas (Children’s)  for failing to adequately secure electronic protected health information (ePHI) and correct other HIPAA compliance deficiencies teaches many key lessons for employer and other health plans and insurers, healthcare clearinghouses, healthcare providers and their business associates (“Covered Entities”) about mistakes to avoid in managing not only ePHI on laptops and mobile devices, as well as their overall HIPAA compliance and risk management.

The Department of Health & Human Services (HHS) Office of Civil Rights (OCR) imposed the $3,217,000.00 Civil Monetary Penalty (CMP) under a January 18, 2017 Final Determination based upon findings that Children’s for years knowingly violated HIPAA by failing to encrypt or otherwise properly secure ePHI on laptops and other mobile devices and failing to comply with many other HIPAA requirements.  OCR originally notified Children’s of its intention to impose the CMP based on findings of widespread violations by Children’s of HIPAA in a September 30, 2016 Notice of Proposed Determination (Proposed Determination) that OCR sent to Children’s President of System Clinical Operations, David Berry.  Although the Proposed Determination included instructions for requesting a hearing on the Proposed Determination, Children’s paid the CMP rather than exercising these hearing rights.

Evidence Children’s Ignored Repeated Notices of Violations For Years

According to the Proposed Determination, OCR uncovered widespread HIPAA violations by Children’s while investigating the HIPAA compliance of the Dallas-based pediatric health and hospital system in response to two separate notices of large breaches of ePHI that Children’s filed with OCR in response to the HIPAA Breach Notification Rule.   Under the Breach Notification Rule, Covered Entities generally must provide notice of any breach of unsecured ePHI involving more than 500 individuals with OCR, subjects of the breached ePHI and the media within 60 days of receiving notice of the breach.  In contrast, for breaches of unsecured ePHI involving fewer than 500 individuals, Covered Entities generally must notify subjects of the breached ePHI within 60 days, but can delay notification to OCR until filing a consolidated annual report of small breaches of ePHI.

The two breach notifications that triggered the OCR investigation leading to the CMP both involved losses of mobile devices containing ePHI that Children’s filed with OCR.

The first breach report, filed on January 18, 2010, notified OCR of the loss at the Dallas/Fort Worth International Airport on November 19, 2009 of an unencrypted, non-password protected BlackBerry device containing the ePHI of approximately 3,800 individuals.

The second reported breach report filed on July 5, 2013, reported the theft of an unencrypted laptop with the ePHI of 2,462 individuals from its premises sometime between April 4 and April 9, 2013. The OCR investigation found that although Children’s implemented some physical safeguards to the operating room storage area (e.g., badge access was required, and a security camera was present at one of the entrances), it also provided access to the area to staff who were not authorized to access ePHI. Children’s janitorial staff had unrestricted access to the area where the laptop was stored but did not provide encryption to protect the ePHI on the laptop from access by such unauthorized persons.  Children’s internal investigation concluded that the laptop was probably stolen by a member of the janitorial staff.

In the course of investigating these two reported breaches, OCR took note that Children’s previously reported a small breach of unsecured ePHI on an unencrypted mobile device.  In a letter dated August 22, 2011, from Children’s Vice President of Compliance and Internal Audit and Chief Compliance Officer Ron Skillens to OCR Equal Opportunity Specialist Jamie Sorley, Mr. Skillens stated that a Children’s workforce member (an unidentified medical resident) lost an iPod device in December 2010. The iPod had been synched to the resident’s Children’s email account, which resulted in the ePHI of at least 22 individuals being placed on the device. The ePHI on the iPod was not encrypted. The loss of the iPod resulted in the impermissible disclosure of ePHI by the medical resident. OCR concluded the ePHI of 22 individuals was impermissibly disclosed, because the workforce member and agent of Children’s provided access to any unauthorized person who discovered the device.

  • OCR found that the breaches resulted from Children’s violation of the HIPAA Security Rule by failing to encrypt laptops and other mobile devices or and implement other appropriate safeguards for the protection of ePHI on mobile devices;
  • Failing to appropriately document its decision to not implement encryption on mobile devices and any applicable rationale behind a decision to use alternative security measures to encryption; and
  • Failing to implement security measures that were an equivalent alternative to the security protection available from encryption solutions.

The Proposed Determination also reports that the OCR ’s investigation revealed that Children repeatedly over several years knowingly failed to implement and administer proper encryption and other safeguards on laptops and other mobile devices containing ePHI despite actual knowledge of the unaddressed risks to unencrypted ePHI in violation of the HIPAA Security Rule dating back to at least 2007. The Proposed Determination notes, for instance, that:

  • A Security Gap Analysis and Assessment conducted for Children’s December 2006-February 2007 by Strategic Management Systems, Inc. (SMS) (SMS Gap Analysis) identified the absence of risk management as a major finding and recommended that Children’s implement encryption to avoid loss of PHI on stolen or lost laptops.
  • A separate PricewaterhouseCoopers (PwC) analysis of threats and vulnerabilities to certain ePHI (PwC Analysis) conducted in August, 2008 for Children’s determined that encryption was necessary and appropriate. The PwC Analysis also determined that a mechanism was not in place to protect data on a laptop, workstation, mobile device, or USB thumb drive if the device was lost or stolen and identified the loss of data at rest through unsecured mobile devices as being “high” risk. PwC identified data encryption as a “high priority” item and recommended that Children’s implement data encryption in the fourth quarter of 2008.
  • Furthermore, in September 2012, the HHS Office of the Inspector General (OIG) issued the findings from its audit of Children’s that focused on information technology controls for devices such as smartphones and USB drives. Among other things, the report, entitled “Universal Serial Bus Control Weaknesses Found at Children’s Medical Center,” found that Children’s had insufficient controls to prevent data from being written onto unauthorized and unencrypted USB devices and that “without sufficient USB controls, there was a risk that ePHI could have been written onto an unauthorized/unencrypted USB device and taken out of the hospital, resulting in a data breach.” A copy of this report was provided to Mr. Skillens.
  • Despite the prior breach notifications and warnings from the SMS Gap Analysis, the PwC Analysis and the OIG audit report, Children’s failed to take the necessary steps to encrypt and otherwise safeguard its ePHI on mobile devices.  Children’s still had not implemented encryption on all devices as of April 9, 2013 even though appropriate commercial encryption products were available to achieve encryption of laptops, workstations, mobile devices, and USB thumb drives in use by Children’s staff by, at least, the time of the PwC Analysis in 2008.  Furthermore, while leaving these deficiencies unresolved, the Proposed Determination notes that Children’s issued unencrypted BlackBerry devices to nurses beginning in 2007 and allowed its workforce members to continue using unencrypted laptops and other mobile devices until at least April 9, 2013 despite the findings of SMS and PwC and Children’s actual knowledge about the risk of maintaining unencrypted ePHI on its devices.

Based on this evidence, OCR concluded that Children’s had “actual knowledge” of the unaddressed threats to ePHI as early as March 2007 and at least one year prior to the reported security incidents. Furthermore, OCR also found that Children’s additionally violated HIPAA by failing to implement sufficient policies and procedures governing the receipt and removal of hardware and electronic media that contain ePHI into and out of its facility, and the movement of these items within the facility prior to at least November 9, 2012.  Prior to November 2012, Children’s information technology (IT) assets were inventoried and managed separately from the inventory of devices used within its Biomedical Department. Children’s IT asset policies did not apply to devices that accessed or stored ePHI that were managed by the Biomedical Department. Consequently, Children’s was unable to identify all devices to which the device and media control policy should apply prior to completing a full-scope inventory to identify all information systems containing ePHI in November 9, 2012. As Children’s did not conduct a complete inventory to identify all devices to which its IT asset policies apply to ensure that all devices were covered by its device and media control policies, the Proposed Determination concluded Children’s was out of compliance with the Security Rule at 45 C.P.R. § 164.310(d)(l).

After OCR’s investigation indicated widespread Privacy and Security Rule noncompliance by Children’s, the Proposed Determination states that OCR attempted to negotiate a resolution with Children’s through its informal resolution agreement process from approximately November 6, 2015, to August 30, 2016.  When these efforts failed, OCR issued a May 10,2016 Letter of Opportunity that formally informed Children’s that since OCR had been unable to resolve its findings that Children’s violated the Privacy and Security Rules by informal means, OCR was informing Children’s of the preliminary indications of non-compliance and providing Children’s with an opportunity to submit written evidence of mitigating factors under 45 C.F.R. § 160.408 or affirmative defenses under 45 C.F.R. § 160.410 for OCR’s consideration in making a determination of a CMP pursuant to 45 C.F.R. § 160.404. The letter stated that Children’s could also submit written evidence to support a waiver of a CMP for the indicated areas of non-compliance. Each of Children’s indicated acts of noncompliance and the potential CMP for them were described in the letter. The letter was delivered to Children’s and received by Children’s agent on May 12, 2016.

Children’s responded to OCR’s letter on or about June 9, 2016.  The Proposed Determination states that OCR determined that the information and arguments submitted by Children’s in its June 9, 2016 letter did not support an affirmative defense pursuant to 45 C.F.R. § 160.410 or a waiver of the CMP pursuant to 45 C.F.R. § 160.412.  Accordingly, OCR notified Children’s in its September 30, 2016 Proposed Determination of OCR’s intent to implement the $3,217,000.00 CMP and procedures for appealing this planned CMP assessment. When Children’s did not file an appeal, OCR issued the Final Determination assessing the CMP.  OCR reports that Children now has paid the $3,217,000.00 CMP.

Important Lessons For Other Covered Entities

The Children’s CMP and underlying circumstances provide many key lessons for other Covered Entities.  Obviously, the Final Decision drives home the importance of:

  • Proper encryption and other security and access controls of devices and systems containing ePHI; and
  • Proper documentation of risk assessments, audits, breach investigations and other events, compliance analysis and conclusions taken in response, and corrective actions selected and implemented in response to these events.

Beyond the importance of documented compliance with encryption and other requirements, the Children’s CMP and its associated Proposed Determination and Final Determinations also illustrate the importance of proper behavior in response to a known or suspected breach.  The Proposed Determination and Final Determination make clear that beyond the breaches uncovered in the course of the investigation, OCR’s decision to implement the CMP was influenced by, among other things:

  • OCR investigates all large breach reports;
  • Small breach reports can count too;
  • The recurrent disregard and failure by Children to act to address the HIPAA security violations over a period of years despite both repeated notifications of its noncompliance and actual breaches resulting from these compliance deficiencies; and
  • The failure of Children’s to cooperate with OCR to reach a voluntary resolution agreement which might have allowed Children to resolve its liability for the breaches OCR found by paying a potentially smaller settlement payment and implementing corrective actions to OCR’s satisfaction.

About The Author

Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition  as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of  “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 28 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.

Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps these and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer’s includes nearly 30 years’ of work with a diverse range of health industry clients on an extensive range of matters.

Ms. Stamer has worked closely with health industry, managed care and insurance and other businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of staffing, human resources and workforce performance management, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

As a core component of her work,  Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including  insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others, and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns including policy design, drafting, administration and training; business associate and other contracting; risk assessments, audits and other risk prevention and mitigation; investigation, reporting, mitigation and resolution of known or suspected breaches, violations or other incidents; and defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.   Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy and governmental and regulatory affairs experience, Ms. Stamer also is widely recognized for regulatory and policy work, advocacy and outreach on healthcare, education, aging, disability, savings and retirement, workforce, ethics, and other policies.  Throughout her adult life and career, Ms. Stamer has provided thought leadership; policy and program design, statutory and regulatory development design and analysis; drafted legislation, proposed regulations and other guidance, position statements and briefs, comments and other critical policy documents; advised, assisted and represented health care providers, health plans and insurers, employers, professional. and trade associations, community and government leaders and others on health care, health, pension and retirement, workers’ compensation, Social Security and other benefit, insurance and financial services, tax, workforce, aging and disability, immigration, privacy and data security and a host of other international and domestic federal, state and local public policy and regulatory reforms through her involvement and participation in numerous client engagements, founder and Executive Director of the Coalition for Responsible Health Policy and its PROJECT COPE: the Coalition on Patient Empowerment, adviser to the National Physicians Congress for Healthcare Policy, leadership involvement with the US-Mexico Chamber of Commerce, the Texas Association of Business, the ABA JCEB, Health Law, RPTE, Tax, Labor, TIPS, International Life Sciences, and other Sections and Committees, SHRM Governmental Affairs Committee and a host of other  involvements and activities.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical  staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

Beyond her extensive involvement advising and representing clients on privacy and data security concerns and other health industry matters, Ms. Stamer also has served for several years as a scrivener for the ABA JCEB’s meeting with OCR, the Chair of the Southern California ISSA Health Care Privacy & Security Summit, and an editorial advisory board member, author, program chair or steering committee member, and faculties for a multitude of other programs and publications regarding privacy, data security, technology and other compliance, risk management and operational concerns in the health care, health and other insurance, employee benefits and human resources, retail, financial services and other arenas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or your profile here.

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™  All other rights reserved.


SCOTUS: States Can’t Require Reporting of ERISA Health Plan Data

March 2, 2016

Employer and union sponsored group health plans covered by the Employee Retirement Income Security Act of 1974 (ERISA) and their insurers are not required to comply with a Vermont state law that requires health insurers and certain other parties to report payments relating to health care claims and other information relating to health care services to a state agency for compilation in an all-inclusive health care database, according to the United States Supreme Court’s March 1, 2016 ruling in Gobeille v. Liberty Mutual Insurance Company.

In a 6-2 opinion authored by Justice Kennedy, the Supreme Court held in Gobeille that ERISA Section 514 preempts Vermont’s requirement that health insurers and other health benefit payers report health care claims and other information relating to health care services to a state agency for inclusion in an all-inclusive health care data base.

The lawsuit stemmed from a lawsuit challenging Vermont’s attempt to enforce the law against Liberty Mutual In­surance Company’s self-insured health plan (Plan). Liberty Mutual provides benefits under the Plan to its thousands of employees which are located in all 50 States of which only approximately 140 of which are located in Vermont. When Vermont sought to require the Plan’s third-party administrator, Blue Cross Blue Shield of Massachusetts, Inc. (Blue Cross) to transmit its files on the Plan’s eligibility, medical claims, and phar­macy claims for the Plan’s Vermont members to the state data base, Liberty Mutual was concerned that the disclosure of such confidential information might vio­late its fiduciary duties,  It instructed Blue Cross not to comply and sued seeking a declaratory judgement that ERISA pre-empts application of Ver­mont’s statute and regulation to the Plan and an injunction prohibit­ing Vermont from trying to acquire data about the Plan or its mem­bers. After the District Court granted summary judgment to Vermont, the Second Circuit reversed, concluding that Vermont’s reporting scheme is pre-empted by ERISA as applied to the Plan.

When Vermont appealed the Second Circuit’s decision to the Supreme Court, the Supreme Court sided with Liberty Mutual. It upheld the Second Circuit’s ruling, holding that the preemption provisions of ERISA bar Vermont from enforcing the reporting requirement against ERISA-covered health plans or their administrators.

Righting for the Supreme Court Majority, Justice Kennedy explained that ERISA expressly pre-empts “any and all State laws insofar as they may now or hereafter relate to any employee benefit plan.” 29 U.S.C §1144(a). Commenting that this preemption reaches to any state law that has an impermissible “connection with” ERISA plans, Justice Kennedy took judicial notice that ERISA seeks to make the benefits promised by an employer more secure by mandating certain uniform reporting and other oversight systems and other standard procedures, Justice Kennedy said ERISA’s extensive reporting, disclosure, and recordkeeping requirements are central to, and an essential part of, this uniform plan administration system. He also wrote that ERISA’s uniform rule design also makes clear that it is the Secretary of Labor, not the separate States, that is authorized to decide whether to exempt plans from ERISA reporting requirements or to require ERISA plans to report data such as that sought by Vermont. Because Vermont’s law and regulation also govern plan reporting, disclosure, and recordkeeping, Justice Kennedy explained that pre-emption is necessary in order to prevent multiple jurisdictions from imposing differing or even parallel, regulations, creating wasteful administrative costs and threatening to subject plans to wide-ranging liability.

Justice Kennedy also found unpersuasive Vermont’s counterargument that respondent has not shown that the State scheme has caused it to suffer economic costs, stating that Liberty Mutual need not wait to bring its pre-emption claim until confronted with numerous inconsistent obligations and encumbered with any ensuing costs. In addition, Justice Kennedy wrote that the fact that ERISA and the state reporting scheme have different objectives does not transform Vermont’s direct regulation of a fundamental ERISA function into an innocuous and peripheral set of additional rules and that Vermont’s regime also cannot be saved by invoking the State’s traditional power to regulate in the area of public health. Furthermore, Justice Kennedy added that ERISA’s pre-existing reporting, disclosure, and recordkeeping provisions maintain their pre-emptive force regardless of whether the new Patient Protection and Affordable Care Act’s reporting obligations also pre-empt state law.

About The Author

Recognized as a “Top” attorney in employee benefits, labor and employment and health care law extensively involved in health and other employee benefit and human resources policy and program design and administration representation and advocacy throughout her career, Cynthia Marcotte Stamer is a practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., a member of Stamer│Chadwick│Soefje PLLC, author, pubic speaker, management policy advocate and industry thought leader with more than 27 years’ experience practicing at the forefront of employee benefits and human resources law.

A Fellow in the American College of Employee Benefit Counsel, past Chair and current Welfare Benefit Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, an ABA Joint Committee on Employee Benefits Council Representative and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on health and other employee benefit, human resources and insurance matters and policy.

Ms. Stamer helps management manage. Ms. Stamer’s legal and management consulting work throughout her 27 plus year career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.

Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved.