A new Department of Health and Human Services Final Rule will tighten subsidy eligibility and implement other reforms for the the Heathcare Marketplace insurance plans created under the Patient Protection and (“ACA”). Health plan sponsors and providers should take into account the probable effect of enrollment and coverage pattern changes these changes will cause for groups of workers and other individuals currently relying on subsidies to maintain Marketplace coverage in their planning, budgeting and compliance.
The 2025 Marketplace Integrity and Affordability Final Rule (“Rule”) reverses Biden Administration rules that lowered requirements for individuals to receive subsidies to pay costs for purchasing health coverage and eased other requirements for Exchange coverage.
According to the now Trump Administration-led Centers for Medicare & Medicaid Services (“CMS”), improper ACA enrollments enabled by weakened verification processes and expanded premium subsidies triggered widespread fraud. Research shows that in 2024, an estimated 5 million people may have been improperly enrolled, costing taxpayers as much as $20 billion[1].
To address these concerns, the new Rule:
Repealing the monthly special enrollment period (SEP) for individuals with projected household incomes at or below 150% of the federal poverty level, a policy used by some agents and brokers to improperly enroll ineligible consumers and perform unauthorized plan switching to gain commissions;
Requiring income verifications to ensure people qualify for the premium subsidies they receive;
Conducting eligibility verifications for the majority of enrollments through SEPs, closing loopholes that allowed people to wait to enroll until they needed care and improving the risk pool, which can lower premiums for middle-class families not receiving subsidies;
Reducing advanced payments of the premium tax credit (APTC) by $5 a month for individuals who are auto re-enrolled in fully-subsidized plans without eligibility verification, ensuring consumers are aware of and engaged in their health coverage; and
Standardizing the Annual Open Enrollment Period starting with the 2027 plan year so that it ends by December 31 for all health insurance exchanges, encouraging people to maintain year-round health coverage rather than waiting until they get sick to enroll, which helps keep insurance affordable for everyone.
CMS says many changes are “temporary” measures set to sunset at the end in 2026 to immediately tamp down on the outflow of funds to ensure that eligibility verification processes work efficiently and allow qualified enrollees to access ACA Exchange coverage without fear of coverage gaps or surprise tax liabilities resulting from the improper actions of third parties.
To ensure federal subsidies for coverage through ACA Exchanges only support the statutory requirements and goals of the ACA, CMS also is:
Prohibiting federal subsidies from being used to help cover the cost of specified sex-trait modification procedures to align an individual’s physical appearance or body with an asserted identity that differs from the individual’s sex; and
Reinstating HHS’ longstanding 2012 interpretation of “lawfully present” to exclude Deferred Action for Childhood Arrivals (DACA) recipients from eligibility and enrollment in ACA Exchange coverage and Basic Health Program (BHP) coverage in States that elect to operate a BHP, including APTC, premium tax credits, and cost-sharing reductions.
CMS says these reforms address “improper enrollments and the improper flow of federal funds implemented during the Biden Administration.
Group health plans, their employer and other sponsors should prepare for potential implications of these changes on their workforce and health plans. These are likely to vary among employers and plans. Possible effects could include:
An increase in the number of uninsured workers or dependents;
Effects on Affordable Care Act and other testing;
New inquiries and requests for special or other enrollment;
Potential new notification and enrollment requirements;
Potential increases in occupational illness, sick or disability leave, absenteeism and presenteeism from uncovered workers; and
More.
Considering these and other effects can help health plans, their sponsors, and employees to prepare for and respond to these effects.
If you have questions or need help with these or other employee benefits concerns, contact the author of this update, Cynthia Marcotte Stamer, who is a Fellow in the American College of Employee Benefits Counsel with decades of employee benefits experience.
More Information Or Help
We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, insurance, or health care legal developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.
Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on health and other employee benefits, insurance, healthcare, workforce, HIPAA and other data and technology and other compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.
Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, insurance, healthcare , data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.
Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.
Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.
For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press™
Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
Group health plans, their employer and union sponsors, fiduciaries, insurers, administrators, communications and information technology vendors and participants interested in promoting technologies to help patients control their health and wellness have until June 16, 2025 is to share input with the Centers for Medicare & Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) in response to their currently open request for information (“RFI”).
Following up on the CMS Interoperability and Patient Access Final Ruleand part of Secretary Kennedy’s effotts to “Make America Healthy Again,” the agencies are inviting public input on designing a seamless, secure, and patient-centered digital health infrastructure that will help seniors and their families use modern technology to control of their health and well-being, manage chronic conditions, and access care more efficiently.
The RFI invites input from patients, caregivers, providers, payers, technology developers, and other stakeholders on how CMS and ONC can:
Drive the development and adoption of digital health management and care navigation applications;
Strengthen interoperability and secure access to health data through open, standards-based technologies;
Identify barriers preventing the seamless exchange of health information across systems; and
Reduce administrative burden while accelerating progress toward value-based, patient-centered care.
Many employee benefit plans, their sponsors and vendors have extensive experience and interest in the use of mobile applications and other technologies by plan members and their caregivers. Interested parties should consider sharing insights to help promote awareness of helpful designs and to deter investments or mandates of unhelpful technologies.
For More Information Or Help
We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.
Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.
Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.
Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.
Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.
For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press™
Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
The Internal Revenue Service (“IRS”) published advanced notice of the 2026 inflation adjusted amounts for Health Savings Accounts (“HSAs”) § 223 of the Internal Revenue Code (“Code”) and the maximum amount that may be made newly available for excepted benefit health reimbursement arrangements (HRAs) provided under § 54.9831-1(c)(3)(viii) of the Pension Excise Tax Regulations.
In calendar year 2026, these amounts are as follows:
The annual limitation on deductions under § 223(b)(2) for an individual with coverage under a high deductible health plan for self-only is $4,400 and for family coverage under a high $8,750.
A “high deductible health plan” under § 223(c)(2)(A) will be defined as a health plan with an annual deductible that is not less than $1,700 for self-only coverage or $3,400 for family coverage, and for which the annual out-of-pocket expenses (deductibles, co-payments, and other amounts, but not premiums) do not exceed $8,500 for self-only coverage or $17,000 for family coverage.
For plan years beginning in 2026, the maximum amount that may be made newly available for the plan year for an excepted benefit HRA under Code § 54.9831-1(c)(3)(viii) is $2,200.
We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.
Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.
Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.
Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.
Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.
For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press™
Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
Creating greater transparency of the compensation of prescription benefit management (“PBM”) arrangements used in group health plans covered by the Employee Retirement Income Security Act of 1974 (“ERISA”) is one of many new policy directives President Trump directs federal agencies to pursue to promote lower cost access to prescription drugs under his Executive Order on Lowering Drug Prices By Once Again Putting Americans First (the “Executive Order”) signed April 15, 2025. Employer and union-sponsored health plans, their sponsors, fiduciaries and service providers should carefully track and provide appropriate input to the Department of Labor and other federal agencies charged with implementing the new ERISA transparency requirement and other policy changes directed in the Executive Order.
ERISA PMB Transparency Requirements
To improve the transparency of compensation received by PBMs working with ERISA-covered group health plnas, the Executive Order directs the Department of Labor (“DOL”) to propose regulations to make the fee disclosure requirements of ERISA section 408(b)(2)(B) applicable to PBMs by October 12, 2025.
The Executive Order’s directive to the DOL contemplates that DOL will revise its existing regulations under Section 408(b)(2) to prohibit group health plan fiduciaries from allowing PBMs to directly or indirectly receive compensation for their PBM services unless the PBM discloses its compensation from the arrangement in accordace with the fee disclosure requirements that the Executive Order contemplates DOL will add to ERISA section 408(b)(2).
While DOL regulations have required since 2012 that pension plan service providers to disclose direct or indirect compensation under arrangements with ERISA-covered pension plans in order for the service provider compensation to be allowed “reasonable compensation” under ERISA section 408(b)(2), the fee disclosure requirement currently does not apply to PBMs or other service providers to group health plans or other welfare benefit plan arrangements.
Across the intervening years, concern that the lack of transparency and disclosure allows PBMs to receive excessive compensation and engage in conflicts of interest has led employee benefit industry watchdogs, employer and other plan sponsors, plan members, health care providers and others increasingly to urge the DOL to impose fee disclosure requirements on PBMs and other health and welfare benefit plan service providers. The Executive Order yields to these demands by calling upon the DOL to deem a group health plan’s compensation arrangements with PBMs reasonable only where PBMs disclose direct and indirect compensation, including compensation paid among related parties such as subcontractors, in a manner consistent with current Section 408(b )(2) Regulations.
Other Prescription Drug Reforms
The Executive Order also includes numerous other reform directives beyond calling for DOL to make PBMs subject to ERISA’s fee disclosure rules. These included several directives to HHS and certain other agencies that President Trump intends to lower the cost of prescription drugs within and outside the Medicare program.
Medicare & Other Drug Pricing and Coverage Related Prescription Drug Reforms
Many of the policy directives in the Executive Order seek to reform Medicare and other prescription drug cost and coverage.
By April 15, 2026, for instance, the Executive Order directs HHS to develop a better payment model to improve the ability of the Medicare program to obtain better value for high-cost prescription drugs and biological products covered by Medicare, including those not subject to the Medicare Drug Price Negotiation Program.
In addition, the Executive Order:
Directs HHS to work with the Congress to modify the Medicare Drug Price Negotiation Program to align the treatment of small molecule prescription drugs with that of biological products so as to end the distortion that undermines relative investment in small molecule prescription drugs, coupled with other reforms to prevent any increase in overall costs to Medicare and its beneficiaries;
By June 14, 2025,
Requires HHS to propose changes to the Medicare Drug Price Negotiation Program regulations for the initial price applicability year 2028 and manufacturer implementation of maximum fair price under such program in 2026, 2027, and 2028 to improve the transparency of the Medicare Drug Price Negotiation Program, prioritize the selection of prescription drugs with high costs to the Medicare program, and minimize any negative impacts of the maximum fair price on pharmaceutical innovation within the United States; andRequires HHS to require health centers receiving Public Health Service Act Section 330(e) grants to establish practices to make insulin and injectable epinephrine available at or below the discounted price paid by the health center grantee or sub-grantee under the 340B Prescription Drug Program (plus a minimal administration fee) to low income individuals who have a high cost-sharing requirement for either insulin or injectable epinephrine; have a high unmet deductible; or have no healthcare insurance.Requires the Assistant to the President for Domestic Policy (“APDP”) in coordination with the Secretary, the Director of the Office of Management and Budget (“OMB Director”), and the Assistant to the President for Economic Policy (“APECP”), to provide recommendations to the President on how best to stabilize and reduce Medicare Part D premiums;Requires the HHS Secretary to publish a plan to conduct a survey under the Site-of-Service Price Transparency rules of Social Security Act Section 1833(t)(14)(D)(ii) to determine the hospital acquisition cost for covered outpatient drugs at hospital outpatient departments and propose appropriate adjustments to align Medicare payment with the cost of acquisition, consistent with the budget neutrality requirements; and
Requires HHS to evaluate and propose regulations to ensure that payment within the Medicare program is not encouraging a shift in drug administration volume away from less costly physician office settings to more expensive hospital outpatient departments.
Other Prescription Drug Reforms
In addition to these predominantly Medicare-focused programs, the Executive Order also orders federal agencies to
Requires the Secretary of Labor to propose regulations pursuant to section 408(b)(2)(B) of the Employee Retirement Income Security Act of 1974 to improve employer health plan fiduciary transparency into the direct and indirect compensation received by pharmacy benefit managers by October 12, 2025;
Requires the APDP, in coordination with the HHS Secretary, the OMB Director, and the APECP, to provide recommendations to the President on how best to promote a more competitive, efficient, transparent, and resilient pharmaceutical value chain that delivers lower drug prices for Americans by June 14, 2025;
Requires the Food and Drug Administration to streamline and improve the Importation Program under the Federal Food, Drug, and Cosmetic Act to make it easier for States to obtain approval without sacrificing safety or quality;
Requires the OMB Director, the APDP, and the Assistant to the President for Economic Policy )”APECP, and HHS Secretary to provide joint recommendations on how best to ensure that manufacturers pay accurate Medicaid drug rebates consistent with section 1927 of the Social Security Act, promote innovation in Medicaid drug payment methodologies, link payments for drugs to the value obtained, and support States in managing drug spending;
Requires the HHS Secretary, through the Commissioner of Food and Drugs, to issue a report providing administrative and legislative recommendations to accelerate approval of generics, biosimilars, combination products, and second-in-class brand name medications; and improve the process through which prescription drugs can be reclassified as over-the-counter medications, including recommendations to optimally identify prescription drugs that can be safely provided to patients over the counter;
Requires HHS, the Department of Justice, the Department of Commerce, and the Federal Trade Commission to conduct listening sessions and issue a report with recommendations to reduce anti-competitive behavior from pharmaceutical manufacturers.
Health plans, their sponsoring employers or unions, fiduciaries, PBM and other service providers, brokers, insurers, auditors, and others involved in the design or oversight of PBM and other group health plan arrangements should monitor closely the DOL and other agency responses to the Executive Order to anticipate and prepare for required changes, as well as to be prepared to identify and timely provide input about proposed rules or other actions to DOL or the otherwise applicable regulatory agency before finalized.
The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, with decades of experience advising employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, PBMs, health and other insurers, third party administrators, managed care organizations, health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.
For More Information
We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.
Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.
Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.
Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.
For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press™
Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
Employers should prepare for a wave of U.S. Department of Labor (“Labor Department”) guidance and other actions defining and implementing President Trump’s labor and employment policy agenda as new Labor Secretary Chavez-DeRemer and several key politically appointed Labor Department agency leaders took office this week. Employers and contractors impacted by Labor Department rules and enforcement should monitor Labor Department developments for policy or enforcement changes impacting their workforce policies and prepare to respond quickly to new developments.
Secretary of Labor Chavez-Deremer
Chavez-Deremer was sworn in as the new Secretary of Labor on Tuesday, March 11, after the U.S. Senate confirmed her nomination by a vote of 67-32 on March 10. Prior to her nomination by President Trump, Chavez-Deremer served in the House of Representatives for the 5th Congressional District of Oregon, where she served on the House Education and the Workforce Committee. While in Congress, Chavez-DeRemer’s backing for legislation that included provisions easing barriers to union organization earned her a pro-labor reputation won support for her nomination from Democrat Senators Michael Bennet (D-Colo.), Catherine Cortez-Masto (D-Nev.), Ruben Gallego (D-Ariz.), Maggie Hassan (D-N.H.), John Hickenlooper (D-Colo.), Tim Kaine (D-Va.), Mark Kelly (D-Ariz.), Amy Klobuchar (D-Minn.), Jon Ossoff (D-Ga.), Gary Peters (D-Mich.), Jacky Rosen (D-Nev.), Adam Schiff (D-Calif.), Jeanne Shaheen (D-N.H.), Elissa Slotkin (D-Mich.), Mark Warner (D-Va.), Raphael Warnock (D-Ga.), and Sheldon Whitehouse (D-R.I) and opposition from Republican Senators Ted Budd (R-N.C.), Mitch McConnell (R-Ky.), and Rand Paul (R-Ky).
In a memorandum reportedly sent to agency heads within the Department of Labor, Chavez-Deremer reportedly embraced the directives of President Trump’s Department of Government Efficiency (“DOGE”) and instructed department heads to move quickly to review of budgets and identify opportunities for cost savings by eliminating wasteful contract spending, cutting redundancies and cutting low-performing employees. a source told Fox News Digital.
Other Labor Department Agency Heads Starting Work This Week
On March 13, the Department of Labor announced the following political appointees are joining the Department’s leadership team:
Bureau of International Labor Affairs
John Clark will serve as policy advisor to the Bureau of International Labor Affairs. Most recently, he worked on trade, transportation, and China policy matters at a Washington, D.C.-based industry association. Clark is a graduate of the University of Hawaii at Manoa William S. Richardson School of Law and Florida State University.
Employment and Training Administration
Amy Simon will serve as principal deputy assistant secretary of the Employment and Training Administration. Previously, Simon was founder and owner of the boutique consulting firm, Simon Advisory. From 2019 to 2021, she served as chief of staff and acting deputy assistant secretary for the Employment and Training Administration in the first Trump Administration.
Marek Laco will serve as the agency’s chief of staff. Most recently, Laco led workforce development policy as a staff member for the Committee on Education and the Workforce in the U.S. House of Representatives. He has worked for several members of Congress and spent time at the U.S. Department of Education during the first Trump Administration before serving as deputy chief of staff for Rep. Elise Stefanik.
Occupational Health and Safety Administration
Amanda Wood Laihow will serve as the deputy assistant secretary for the U.S. Occupational Safety and Health Administration. Most recently, she served as a commissioner to the U.S. Occupational Safety and Health Review Commission during the first Trump Administration. Wood Laihow was the director of labor and employment policy for the National Association of Manufacturers and served as deputy general counsel on the U.S. Senate Homeland Security and Governmental Affairs Committee and as an assistant general counsel at the U.S. General Services Administration. Wood Laihow holds a J.D. from the University of Maine School of Law and her B.A. in Political Science from the University of New Hampshire.
Michael Asplen will serve as OSHA’s senior policy advisor. He previously served as chief counsel to Commissioner Laihow at the Occupational Safety and Health Review Commission. Before that, he was a counsel at the Consumer Product Safety Commission, managed Littler Mendelson’s Workplace Policy Institute, and was a policy associate at the National Association of Manufacturers. Asplen earned his B.A. in English as St. Mary’s College of Maryland and his J.D. from the Catholic University of America Columbus School of Law.
Office of Congressional and Intergovernmental Affairs
Joe MacFarlane will serve as senior legislative officer for the department’s Office of Congressional and Intergovernmental Affairs. Most recently, he served as legislative director for Secretary Chavez-DeRemer during her tenure in the U.S. House of Representatives, where he focused on managing the day-to-day legislative operations and team. Before that, he served as legislative assistant for Rep. Rick Crawford focusing on agricultural issues, and as legislative correspondent/staff assistant for the late Rep. Jackie Walorski. A Rochester, New York native, MacFarlane holds bachelor’s degrees in Political Science and International Affairs from the University of Georgia.
Office of Disability Employment Policy
Brian Walsh will serve as a senior policy advisor in the Office of Disability Employment Policy. Before this appointment, he was a labor policy advisor with the Senate Committee on Health, Education, Labor, and Pensions. Walsh served at the White House in the first Trump Administration and the Department of Labor. He holds a B.A. in Political Science from the University of New Orleans and a Master of Public Policy from George Mason University.
Office of Labor-Management Standards
Elisabeth Messenger will serve as director of the department’s Office of Labor-Management Standards. Most recently, she served as executive director of Gevura Fund. She has also held leadership positions at non-profit organizations focused on advancing free market policies and protecting the First Amendment rights of public employees as well as positions with several technology companies. After earning her B.A. in Journalism from the University of South Carolina, her career began in the publicity department of Atlantic Records.
Office of Public Affairs
Courtney Parella will serve as deputy assistant secretary in the department’s Office of Public Affairs. After driving messaging strategy for members of Congress and the Committee on House Administration, she worked on President Trump’s 2020 re-election campaign and at the National Republican Congressional Committee. Most recently, she served as the director of communications for Congressional Leadership Fund and its sister organization, American Action Network.
Aaron Britt will serve as chief of staff in the Office of Public Affairs. He worked on Capitol Hill for four years before his appointment, most recently serving as communications director for former Rep. Lori Chavez-DeRemer and as press secretary for Sen. Chuck Grassley. Britt’s career began in his home state, where he oversaw media relations and strategy at the Republican Party of Iowa during the 2020 election cycle.
Office of the Secretary
Jihun Han will serve as Department of Labor’s chief of staff. He was Secretary Chavez-DeRemer’s chief of staff during her tenure in the U.S. House of Representatives and ran her successful congressional bid in 2022. Han has extensive experience working in local, state, and national politics, including as campaign manager and chief of staff for numerous members and candidates in the Oregon legislature. He also worked in political affairs for the Oregon Association of Realtors and Evergreen Oregon PAC.
Rebecca Wright will serve as the department’s deputy chief of staff. She served as Secretary Chavez-DeRemer’s district director in Oregon and as deputy campaign manager for Christine Drazan’s gubernatorial campaign. She also worked as a senior staffer for the Oregon House Republican Caucus under House Republican Leader Drazan.
Courtney Walter will serve as senior counselor in the Office of the Secretary. She served at the U.S. Department of Labor in the first Trump Administration in various capacities, including as senior counsel in the Office of the Solicitor. Most recently, Walter practiced law in the private sector, focusing on labor and employment matters. She is a graduate of the Pennsylvania State University and Florida International University College of Law.
Colton Duncan will serve as the White House liaison for the U.S. Department of Labor. A political strategist and digital media entrepreneur, he has served as president and CEO of Ninja Digital and as senior advisor to Kari Lake. A native of Lubbock, Texas, Duncan is a proud alumnus of Turning Point USA.
Peyton Smith will serve as director of scheduling in the Office of the Secretary. Most recently, she served as the director of operations to Secretary during her time as representative for Oregon’s 5th District in the U.S. House of Representatives for the 118th Congress. She is a graduate of the University of Georgia and holds a degree in Political Science.
Office of the Solicitor
On Feb. 24, 2025, Jonathan Snare was appointed as deputy solicitor of labor. He is rejoining the department after serving as partner in the Washington, D.C. office of Morgan Lewis & Bockius in the labor/employment practice group from 2009 to 2024. During his tenure at Department of Labor between 2003 and 2009, Snare served in several roles, including acting assistant secretary for OSHA and deputy assistant secretary, as well as deputy solicitor and acting solicitor in 2007. Before joining the department, he was in private law practice in Dallas. A native of Indianapolis, Snare graduated from the University of Virginia and obtained a law degree from Washington & Lee University School of Law.
For Help With Investigations, Policy Updates Or Other Needs
If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other work force or performance-related concerns, please contact management attorney and consultant Cynthia Marcotte Stamer.
An attorney Board-Certified in Labor and Employment Law by the Texas Board of Legal Specialization and American College of Employee Benefits Counsel Fellow, Ms. Stamer’s workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership on helping organizations and leaders about manage their internal and external workforce, employee benefits and compensation, regulatory compliance and governmental affairs and other legal and operational practices and risk have earned her recognition as a Fellow in the American College of Employee Benefits Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” and numerous other honors.
For more than 35 years, Ms. Stamer’s work has advised businesses and business leaders about enhancing the effectiveness and defensibility of their operations using employment and other workforce and services management, employee benefits, compensation, performance management, contracting, Federal Sentencing Guideline and other compliance and risk management, investigations, and other legal and operational tools and solutions. While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others with compliance with federal and state equal employment, compensation, health and other employee benefits, workplace safety, leave, employment tax, and other labor and employment, privacy and data security, and other laws: advises and assists management to monitor and reengineer workforce, employee benefits, compensation, safety and other policies and practices in response to regulatory, business, economic, and other developments; advises and defends businesses against labor and employment, employee benefit, wage and hour and other compensation, employment tax, fraud, Federal Sentencing Guideline and other regulatory compliance by the Department of Labor agencies, Department of Justice, Securities and Exchange Commission, Federal Trade Commission, Department of Justice, Office of Federal Contracts and Compliance, and other federal agencies; state Departments of Labor and other federal agencies; state workforce and labor, safety, workers’ compensation and other agencies; and employees, contractors, employee benefit plan participants and vendors, and others.
A former lead consultant to the Government of Bolivia on its social security privatization policy with decades of domestic and international government affairs and public policy experience, Ms. Stamer also has extensive experience providing advice to organizations, Congress and state legislators, federal and state regulators, and others about workforce, education, employee benefits, safety, health, insurance and other public policy concerns.
A prolific author and highly sought out thoughtleader, Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters.
For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.
Other Helpful Resources & Information
If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources like:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication, click here. If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.
The $1.19 million Health Insurance Portability and Accountability Act (“HIPAA”) penalty imposed on a Florida pain clinic this week sends a clear warning to health plans, health care providers, healthcare clearinghouses and their business associates (“Covered Entities”) to take adequate, documented steps to ensure the defensibility of their own safeguards and other compliance with the HIPAA Security Rule including those from their own current and former workers and service providers.
HIPAA Security Rule
The HIPAA Privacy, Security, and Breach Notification Rules require health plans, health car clearinghouses, and most health care providers, and their business associates (“Covered Entities”) to meet requirements to protect the privacy and security of protected health information (“PHI”). The HIPAA Security Rule included in these rules requires Covered Entities to conduct and maintain documented risk assessments to prove their efforts to comply with detailed national administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (“ePHI”).
Violation of HIPAA can trigger either civil monetary penalties or criminal penalties under HIPAA. As amended by the the HITECH Act, HIPAA provides for the following civil monetary penalties for HIPAA violations:
A minimum of $100 for each violation where the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000
A minimum of $1,000 for each violation due to reasonable cause and not to willful neglect, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000. Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
A minimum of $10,000 for each violation due to willful neglect and corrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $250,000.
Aminimum of $50,000 for each violation due to willful neglect and uncorrected within 30 days, except that the total amount imposed on the covered entity or business associate for all violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.
As required by law, OCR adjusts the CMP ranges for each penalty tier for inflation3 for violations after November 2, 2015.
Along with these potentially substantial civil penalty exposures, HIPAA’s potential criminal penalties make HIPAA compliance a required element of the Federal Sentencing Guideline Compliance programs Covered Entities and their leaders need to mitigate their exposures to organizational liability under the Guidelines.
Additionally HIPAA breaches also may expose Covered Entities and their leaders to potential liability for breach liability under securities, electronic crimes, and other data breach and security laws; Federal Sentencing Guideline and other liability for misappropriation of funds, health care or other fraud and other crimes enabled by inadequate compliance or response; trigger fiduciary and other duties and liabilities under the Employee Retirement Income Security Act of 1974 (“ERISA”) for those acting as named or functional fiduciaries; I create licensing or ethical sanctions; create shareholder, tort or contractual liabilities; trigger public company disclosure and executive compensation clawback responsibilities; and a host of other legal, operational and business partner and public relations headaches.
New $1.19 Million Settlement
The $1.19 million penalty against Pain Clinic for Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (“Gulf Coast Pain Consultants”) announced December 4, 2024 by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) shows how quickly a Covered Entity found in violation of these rules can rack up substantial civil monetary penalties. Although specifically involving a health care provider, health plans are exposed to the same risks.
The Gulf Coast Pain Management civil monetary penalty arose from OCR’s finding of “systematic” HIPAA Security Rule violations while investigating a breach report that a former contractor for the company impermissibly accessed their electronic record system.
OCR initiated the investigation following the receipt of a breach report filed by Gulf Coast Pain Consultants, which reported that a former contractor impermissibly accessed Gulf Coast’s electronic medical record system to retrieve PHI for use in potential fraudulent Medicare claims.
OCR’s investigation revealed the breach was accomplished by a business consultant independent contractor hired to provide business consulting in 2018, whose contract was terminated prematurely a several months later before the end of the contract term.
After the contract terminated, Gulf Coast did not immediately terminate the former contractor’s system access.
Months later on February 20, 2019, Gulf Coast discovered that on three occasions, between September 7, 2018, and February 3, 2019, the Contractor impermissibly used its access to Gulf Coast’s electronic medical record (“EMR”) system to access the ePHI of approximately 34,310 individuals. On February 21, 2019, Gulf Coast terminated the independent contractor’s access to its systems.
It was later discovered that the Contractor generated medical claims for services that were not actually rendered, resulting in approximately 6,500 false Medicare claims. The Contractor was indicted under 18 U.S.C. §1347 and §1028(a)(1) and was ultimately found not guilty.
On April 5, 2019, Gulf Coast filed a breach report with OCR concerning this incident. The report described that the compromised PHI included names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.
OCR’s investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.
Based on the investigation, OCR found four violations by Gulf Coast Pain Consultant of the HIPAA Security Rule, including failures to:
Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
Implement procedures to regularly review records of activity in information systems;
Implement procedures to terminate former workforce members’ access to ePHI; and
Implement procedures for establishing and modifying workforce members’ access to information systems.
As often happens, the investigation and other processes leading to the settlement were protracted and expensive.
More than four years after the breach and its report, OCR issued a Notice of Proposed Determination in August 2024 seeking to impose a civil money penalty. After Gulf Coast waived its right to a hearing and did not contest OCR’s findings, OCR issued its Notice of Final Determination imposing the $1,190,000 civil money penalty.
Take Aways
Aside from demonstrating the significant penalties that Covered Entities can face for failing to satisfy HIPAA, the settlement also highlights the need for health plans, their fiduciaries, service providers and other HiIPAA_regulated entities to manage data security threats from contractors and other current and former service providers with access to ePHI and other Security Rule compliance.
“Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system,” said OCR Director Melanie Fontes Rainer in its announcement of the penalty. “Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.”
OCR recommends that Covered Entities take a number of steps to mitigate or prevent cyber threats including
Integrate risk analysis and risk management into business processes.
Implement regular review of information system activity.
Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends.
Implement procedures for modifying a user’s right of access to a workstation, transaction, program or process, or an alternative equivalent measure.
A multitude of other risk assessment and mitigation actions required in response to existing and emerging threats arising from time to time as identified and evaluated pursuant to the ongoing conduct of documented risk assessments required by the Security Rule.
Because the Employee Benefit Security Administration views ensuring proper data security and HIPAA compliance an ERISA fiduciary responsibility and includes cybersecurity in its ERISA compliance audits, health plan fiduciaries also face breach of fiduciary duty and other exposures under ERISA.
The author of this update, Cynthia Marcotte Stamer has worked extensively with health plans and insurers, their sponsors and fiduciaries on covered entities and business associates on HIPAA and other compliance and risk management. If you have questions or need advice or help evaluating or addressing your HIPAA or other compliance, risk management, or other concerns, contact her.
For More Information
We hope this update is helpful. For more information about the or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation..
Author of numerous highly regarded works on PBM and other health plan contracting and design, Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.
Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with HIPAA and other legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.
As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.
Author of many highly regarded compliance, training and other resources on HIPAA and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership on HIPAA and many other health care, health plan and other health industry matters.
In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.
For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
With this week’s Thanksgiving celebrations kicking off the 2024 year-end holiday festivities, wise businesses will proactively act to reduce the risk that their business will start 2025 with a post-holiday workforce liability hangover.
Responsibly managed, company-sponsored and other social celebrations and activities can promote team building, morale, goodwill and other rewards. However, holiday celebrations, staffing disruptions, behaviors and their fallout also can often create attendance, discipline, compliance, safety and other legal and operational responsibilities, risks and costs. Wise business leaders act proactively to mitigate these risks as the nation enters holiday season begins.
Health & Safety
Gatherings, food, game playing, toasting with alcohol, travel and other aspects of company-sponsored and off-duty celebrations can enhance usual or create new accident and illness risks. Holiday socialization, presentism, distractions, staffing disruptions, operational changes and other factors can increase illness and accident risks. Injuries and illnesses suffered on or off the job can create added occupational health and safety and worker’s compensation responsibilities, costs and liabilities, disrupt staffing and productivity, and fuel health care, medical leave, disability, worker’s compensation and other responsibilities and expenses long after the holiday season ends. To help workers enjoy the Holidays safely and avoid these business costs and disruptions, businesses should confirm that their occupational health, safety and injury policies, practices, and staffing fulfill applicable occupational health and safety and workplace accident and injury laws, as well as consider encouraging workers to follow good health and safety practices on and off the job throughout the holiday season.
Employers generally have a duty of care under the Occupational Safety and Health Act (“OSH Act”) and other occupational health and safety laws to provide a safe work environment. The OSH Act requires businesses to recognize and take appropriate steps to keep their workplaces safe. The OSH Act, worker’s compensation, leave and other laws. OSH Act and other workplace safety laws generally require employers to promptly report and investigate workplace accidents and injuries, ensure workers receive timely treatment, and trigger occupational injury and other leave and other duties.
Workplace injuries resulting from unsafe workplace conditions generally trigger expensive penalties and damages, in addition to worker’s compensation or other occupational injury coverage liabilities. The holiday season often exacerbates or adds to the ongoing challenges employers face in maintaining workplace safety and responding to workplace injuries and accidents. Some common sources of additional risks associated with the holiday season include decreased oversight from management holiday absences, heightened worker fatigue and distraction, demand-driven, vacation or illness-related understaffing, expanded use of temporary or contract staffing, and holiday season-associated intoxication. See Holiday Workplace Safety. OSHA offers various recommendations to aid employers in recognizing and managing heightened workplace safety risks during the holiday season. Keeping Workers Safe This Holiday Season. To mitigate their risks from workplace injuries and accidents caused by safety violations and associated violations of investigation, reporting, benefit and other requirements, business leaders should ensure that their organizations identify and manage these additional risks, as well as ensure appropriate staffing and other arrangements are in place to ensure timely response, investigation and reporting of any workplace accidents or injuries during the holiday season.
With outbreaks of the flu, respiratory illnesses and other communicable or infectious diseases that spread from person to person common during the holidays, and holiday gatherings heightening the potential for transmission of the flu or other contagious diseases, businesses also should consider their responsibilities under the OSH Act or other laws to manage contagious disease exposures and spread. For instance, health care and certain other industries may be subject to laws or regulations that impose specific requirements for preventing and responding to contagious diseases, many of which may have been added or changed since the COVID-19 pandemic. Businesses should verify their policies meet or exceed current federal, state, local and contractual requirements as well as are designed to meet their business’ need to manage other contagious disease costs, absences and other disruptions.
Whether or not a business is subject to specific contagious disease management mandates, all businesses generally will benefit from reviewing and communicating their existing contagious disease and related leave and other workforce policies to workers and management to help protect their operations against the costs, operational disruptions and liabilities that often result from contagious disease outbreaks within their workplace. To enhance efforts to deter worker injuries and illnesses, businesses should consider using free resources like the Centers for Disease Control’s Healthy Habits to Prevent Flu and 8 Tips for a Safe and Healthy Holiday Season flyers, workplace posters, payroll stuffers and other communications to remind workers and their families to follow best safety and contagious disease prevention practices during the holidays.
Along with encouraging workers to stay healthy and safe during the Holidays, businesses should also consider providing documented reminders and take other steps to encourage workers to provide timely notice of illnesses and injuries and verify appropriate management coverage and arrangements to ensure that management team absences don’t disrupt the business’ timely delivery of Family and Medical Leave Act, occupational injury and other notifications, coverage for absences, provision of benefits, and other performance of other responsibilities in response to injury and illness reports despite holiday associated absences or hours of operation impacting the employing business or its responsible vendors.
Businesses also should verify their workplace safety, contagious disease and leave policies are designed and administered to prevent and mitigate exposure for unlawful OSH Act and worker’s compensation retaliation, disability discrimination against legally protected employees with chronic or other disabilities under the Americans with Disabilities Act (“ADA”), denial of leave or other violations of the Family and Medical Leave Act leave, notice and other requirements; and ADA and other privacy and confidentiality laws.
Alcohol & Other Conscious Altering Substance Consumption
The increased prevalence of holiday season celebrations and vacations often fuels an increase in consumption of alcohol, marijuana, and other consciousness-altering substances. This consumption can fuel a host of risks and headaches for businesses. Businesses concerned about these risks should act proactively to mitigate these risks.
When addressing business-related alcohol consumption, many businesses will want to consider not only alcohol and other conscious altering consumption at business-related events as well as potential costs that may arise from off-duty excess alcohol consumption. Whether resulting from on or off-duty consumption, excess alcohol, marijuana or other conscious altering consumption, whether on or off duty, can undermine productivity, create attendance and discipline issues, and fuel a host of other risks even when it does not result in a specific accident or injury.
Impaired judgment from alcohol or other intoxication in the workplace or at other events often fuels or contributes to employees or others exhibiting or subjecting employees to inappropriate sexual advances or other discriminatory statements, violent behavior, suicidal behavior or other problematic conduct requiring workplace investigations and discipline.
Most businesses also recognize that accidents caused by alcohol or other intoxication at work or work-related functions create substantial liability exposures for the company under the OSH Act and other occupational safety laws, as well as to workers and any third parties injured by a drunken employee, business associate, client or guest.
Businesses risk “dram shop” or other claims or other liability if employees or guests impaired by alcohol or other substances consumed at company-sponsored or associated events or operating company vehicles or equipment injure others.
Beyond this third-party liability, businesses also may incur significant worker’s compensation, health or disability benefit-related benefit costs if an employee is injured or injures another worker in an alcohol-related accident.
The potential headaches are even greater where the business is a health care, education, automobile sales, trucking and other transportation, or another business subject to or that has voluntarily adopted specific drug and alcohol-free, drug and alcohol testing and other related regulatory or contractual requirements. Businesses subject to these requirements should ensure appropriate arrangements for timely drug and alcohol testing, reporting, and other compliance with these requirements during the holiday season to avoid regulatory or contractual penalties for noncompliance. Companies administering substance abuse testing must comply with applicable mandates while also ensuring that their processes incorporate appropriate protocols to comply with disability discrimination, accommodation and confidentiality requirements of the Americans With Disabilities Act (“ADA”). See, e.g., ADA May Require Employers To Accommodate Employees Testing Positive For Legally Prescribed Medications
Also, because workers engaged in these industries generally risk loss of licensure, certification or other credentials required to perform their jobs for engaging in or failing to report certain alcohol or substance-related offenses or conduct, even off-duty consumption can create staffing headaches for an employer if a worker becomes temporarily or permanently disqualified to work as a result of a substance-related infraction. Consequently, businesses in industries affected by these heightened requirements have a heightened interest in educating and reminding workers to behave legally and responsibly when deciding if and when to consume alcohol or other conscious-altering substances.
Accordingly, virtually all businesses can benefit from encouraging employees to be responsible when consuming alcohol in both business and non-business functions and in planning and hosting holiday functions.
Businesses that serve alcohol at company functions or anticipate that employees will attend other business functions where alcohol will be served need to consider the potential liability risks that may result if the alcohol-impaired judgment of an employee or other guest causes him to injure himself or someone else. A company anticipates an employee or guest might consume alcohol at a company-sponsored or another business event and should adopt and enforce clear policies to prohibit and prevent individuals from over-imbibing and from driving under the influence. Many businesses also find it beneficial to suggest, require or offer at company expense alternate transportation for employees to use when leaving a company or business-related event where the employee consumed alcohol.
Businesses concerned with these liability exposures should take steps to manage the potential risks that commonly arise when employees, clients or other guests consume alcohol at company-sponsored events or while attending other business-associated festivities. To minimize these risks at company-sponsored events, many companies elect not to serve or limit alcohol consumed by workers and served to guests at company sponsored events and other business functions.
To help prevent intoxication from fueling inappropriate behavior at company celebrations where alcohol might be consumed or present, businesses, at a minimum, should remind employees that company policies prohibiting intoxication apply to company-sponsored social and business events. Some practical tips for hosting safe holiday gatherings include:
Management and other leaders should communicate expectations and set a good example.
Reduce opportunities for intoxication by prohibiting or restricting and monitoring the amount of alcohol available and served.
Offer a plentiful supply of a variety of nonalcoholic drinks—water, juices, sparkling sodas. Nonalcoholic drinks provide guests with alternatives to alcohol. They also may help counteract the dehydrating effects of alcohol, slow the rate of alcohol absorption into the body and may reduce the peak alcohol concentration in the blood.
Provide a variety of healthy foods and snacks. Food consumption can slow the absorption of alcohol and reduce the peak level of alcohol in the body by about one-third. Food can also minimize stomach irritation and gastrointestinal distress the following day.
Encourage guests to help keep each other safe by monitoring and assign a team to monitor attendees for potential overconsumption or other signs of intoxication. With appropriate pre-consumption notification to attendees, some businesses even require or encourage attendees consuming alcohol to take a breathalyzer test before departure to minimize the risk that an intoxicated guest will be arrested or involved in an accident after departing the party.
Help your guests get home safely by arranging reliable transportation by using designated drivers and taxis. Anyone getting behind the wheel of a car should not have ingested any alcohol.
Because holiday-associated alcohol consumption and other stresses also tend to fuel increased depression, domestic violence and other stress-associated behaviors, many businesses also find it beneficial to redistribute information about employee assistance programs (EAPs).
Businesses also may want to review the adequacy of existing health, disability, accident and dismemberment, group legal services and other benefit programs, liability insurance coverage and employment policies to protect and promote the company’s risk management and workforce coverage objectives. Businesses can experience unfortunate surprises if they don’t anticipate the implications of these provisions on their employment policies, leave and benefit, safety and other workplace programs and liability insurance and indemnification obligations and costs. Maintaining and reminding workers about policies regarding alcohol consumption or intoxication, accident and traffic offense notifications, privacy waivers, or other policies enhancing accident investigation and response, or other strategic policies can help deter and facilitate investigation and response to on and off-duty accidents or other risk-creating events.
Many employee assistance (“EAP”) health and disability programs incorporate special provisions affecting injuries arising from inappropriate alcohol use as well as offer coverage and benefits to aid employees and family members affected by mental health or substance abuse-related conditions. Changes in regulatory mandates and expanded enforcement of federal group health plan mental health and substance abuse coverage mandates make it important to ensure that employment-based health coverage complies with these requirements. Similarly, many businesses increasingly qualify for preferential rates or discounts on liability policies based upon representations that the business has in effect certain alcohol and drug use or other risk management policies and practices. Reviewing these policies now to become familiar with any of these requirements and conditions can also be invaluable in helping a business respond effectively if an employee or guest is injured in an alcohol-related accident.
Discrimination & Harassment Liability Risks
Businesses should also manage exposures to religious, sex and other discrimination risks linked with the holiday season.
Businesses should critically review their scheduling and other holiday season plans and practices for potential prohibited discrimination or other insensitivity. Businesses should use care to handle carefully requests for religious-based scheduling changes, particularly in light of changes in judicial precedent and regulations in recent years. Leave policies should disclose policies for scheduling and holiday leave clearly and include appropriate, updated policies and procedures for requesting religious accommodation. Companies also should consider seeking advice from legal counsel before denying a faith-based request for a schedule change in light of the latest guidance or recent court decisions precedent.
Business-sponsored or connected holiday or year-end parties, communications, gifts, and other December festivities and observances should be designed to reflect appropriate sensitivity to sexual harassment and religious and other cultural diversity risks. Businesses should exhibit sensitivity and alert their workforce to their expectation that members of their workplace exhibit respect and sensitivity to differences in religious practices and observances among their employees, business associates and friends. Management and other workers should use care to plan social gatherings to be inclusive and to accommodate differences in cultural, religious and other differences. Businesses also should be sensitive to the potential that workers of alternative faiths may feel discriminated against if holiday observances focus unduly on a particular religion to exclude their faith. Businesses also should use care to manage other discrimination exposures in the planning of holiday festivities, gift exchanges, and other activities. Businesses also should be vigilant in watching for signs of inappropriate patterns of discrimination in the selection of employees invited to participate in company-connected social events and off-duty holiday gatherings sponsored by managers and supervisors.
A good starting point is reminding employees, business partners and customers that the company expects employees, business partners and other guests to adhere to company rules against sexual harassment, religious and cultural and other inappropriate discrimination at company-sponsored and other gatherings involving other employees or business associates. Businesses also should remind employees that the company does not expect or require that employees submit to unwelcome sexual, religious, or other inappropriate harassment or discrimination when participating in parties or other social engagements with fellow employees, customers or other business partners and of the procedures to follow to report any concerning events. Even a simple e-mail reminder to employees that the company expects them to be familiar with and comply with these policies and can help promote compliance and provide helpful evidence if an employee or other celebrant steps over the line.
To enhance the effectiveness of these reminders, a business should consider adopting and sharing specific guidance to educate workers about its policies, including examples to illustrate company-sponsored and other off-duty holiday-associated activities of particular concern.
Businesses also should recognize that whether or not company-sponsored, the fraternization inherent in holiday parties and other celebrations where employees celebrate with other employees, clients, suppliers or other business associates can lower inhibitions and obscure the line between appropriate and inappropriate social and business behavior. With or without alcohol, some employees, clients or business associates may misinterpret the festive social atmosphere of holiday celebrations. Some employees, clients or business associates make unwelcome sexual advances, make sexually suggestive or other inappropriate statements, or engage in other actions that expose the business to sexual harassment or other employment discrimination, harassment or retaliation liability. To help deter inappropriate or risky conduct, businesses should consider providing reminders that company prohibitions and rules about sexual harassment, discrimination, fraternization and other inappropriate conduct remain in effect during the holiday season, including when planning or attending holiday celebrations or other events hosted by the business, business partners and clients, and even private management sponsored events and observances.
Gift Giving, Gratuities & Social Entertainment
The exchange of social invitations, gifts and gratuities during the holiday season or at other times throughout the year also can raise various concerns. Businesses should adopt and communicate clear policies and procedures governing both giving and receiving social invitations, gifts, and other benefits. Businesses should review applicable governmental regulations, contractual requirements, and customer and vendor policies for requirements that could impact the offering, receipt, reporting or other handling of gifts, social invitations or other activities. Businesses also should design policies to ensure that they collect and retain sufficient documentation from employees, officers, consultants, customers, and vendors to monitor compliance and other legal and operational risks associated with social entertainment, gifts, and other similar benefits, to report tax deductions and income arising from these activities appropriately, and to meet other compliance obligations. Businesses should review and update current business policies affecting social entertainment, gifting and other similar activities for opportunities to promote compliance and mitigate risks.
As with other holiday observances, all gifts, gratuities and social entertainment must adhere to applicable laws, regulations and company policies regarding bribery, conflict of interest or other inappropriate inducements or rewards. Companies should implement and enforce appropriate policies for the offering and provision of and recordkeeping and reporting of these perks.
Gifts, gratuities and entertainment practices also must not discriminate inappropriately based on sex, religion or other protected status and must reflect appropriate sensitivity to potential religious, sex, race, or other protected status. A business that anticipates workplace or work-connected private festivities might include white elephant or other gift exchanges may wish to specifically include a reminder to exercise care to avoid selecting a gift that may be sexually suggestive, insensitive to religious, cultural or other differences or otherwise offensive.
Businesses also should confirm that all applicable tax implications arising from the giving or receiving of gifts are appropriately characterized, documented and reported in accordance with applicable tax, referral, conflict of interest and other requirements.
In addition to ensuring proper tax documentation and reporting, businesses also need to ensure and retain documentation of the propriety of invitations, gifts and other benefits. Social entertainment and gift-giving activities intended to show appreciation or support marketing efforts can create significant legal or relationship risks if not properly tailored to avoid regulatory or contractual prohibitions or appearances of impropriety. Government contractors, government officials, health care providers, nonprofits, public companies and an amazingly broad range of other entities often must comply with specific statutory, regulatory, contractual or ethical requirements affecting the giving or receiving of invitations, gifts or other preferences. An ill-conceived social invitation, gift, or other benefit that violates these restrictions may expose both givers and recipients to legal prosecution, program disqualification and other serious legal risks.
In addition to these externally imposed legal mandates, many businesses have established their own conflict of interest, social entertainment, gift giving or other policies to minimize the risk that employee loyalty or judgment will be comprised by gifts offered or received from business partners or other outsiders. Employees, officers and contractors of businesses maintaining these policies may face termination or other significant discipline for violating these requirements. Accordingly, businesses offering social invitations, gifts and other benefits to valued vendor or customer relationships risk must be sensitive to these organizationally imposed requirements.
Timekeeping, Performance, Attendance & Time Off
Businesses also commonly face a range of year-end timekeeping, attendance and time off, pay, compensation and productivity concerns. The winter cold and flu season and other post-celebration illnesses, vacations, and winter weather inevitably combine to fuel a rise in absenteeism and competing requests for time off during the holiday season. Improperly designed or out-of-date timekeeping and reporting, leave and attendance, investigations, privacy and other workplace policies can exacerbate management of these challenges and their costs. Further complications can arise when dealing with employees suspected of mischaracterizing the reason for their absence or otherwise gaming the company’s time off policies. Meanwhile, performance and productivity concerns also become more prevalent as workers allow holiday shopping, personal holiday preparations, and other personal distractions to distract their performance.
Managing staffing needs and tracking and administering timekeeping, overtime and other pay, paid and unpaid time off and other attendance, compensation and absence administration while maintaining compliance with legally protected or other legitimate requests for excused time off by employees can present major headaches for businesses and their management. Recent changes in federal, state and local paid and other protected leave mandates add additional traps for the unprepared. Businesses concerned with these challenges ideally will review their policies and practices to ensure their organizations have in place well-designed policies and practices concerning timekeeping, overtime and other pay, attendance and time off, productivity and performance that comply with the Fair Labor Standards Act and other compensation, timekeeping, leave, reporting, investigations, privacy and other federal, state and local laws. Businesses should exercise care when addressing productivity and attendance concerns to investigate and document their investigation before imposing discipline. Businesses also should ensure that their policies are appropriately and even-handedly administered. They also should exercise care to follow company policies, to maintain time records for non-exempt workers, to avoid inappropriately docking exempt worker pay, and to provide all required notifications and other legally mandated rights to employees taking medical, military or other legally protected leaves. In the event it becomes necessary to terminate an employee during December, careful documentation can help the business to defend this decision. The increasing prevalence of worker classification challenges by federal and state agencies and plaintiff’s attorneys also makes it important for businesses to take steps to require and preserve access to documentation be able to demonstrate compliance with these and other applicable legal obligations by staffing and other contract labor suppliers.
Timely Investigation, Notification & Reporting
Businesses faced with allegations of discrimination, sexual harassment or other misconduct or potential business liabilities arising during holiday seasons should also take steps to ensure that appropriate staffing and other arrangements to ensure their organization’s ability to promptly investigate, if necessary, take appropriate corrective action to address complaints or other concerns arising during the holiday season around management or other time off.
Delay in investigation or redress of accidents, discrimination or other concerns can increase the liability exposure of a business presented with a valid complaint and complicate the ability to defend charges that may arise against the business. Additionally, delay also increases the likelihood that a complaining party will seek the assistance of governmental officials, plaintiff’s lawyers or others outside the corporation in the redress of his concern.
If a report of an accident, act of discrimination or sexual harassment or other liability related event arises, businesses should take steps to ensure that management responsible for responding to these and other occurrences are property trained or otherwise supported to carry out these responsibilities in an appropriate, defensible manner as well as to provide timely notification as needed to any government entities, contract partners, insurers, agencies or other parties. Injuries occurring at company related functions often qualify as occupational injuries subject to worker’s compensation and occupational safety laws. Data breaches and various other events may trigger notification or other disclosure obligations to meet statutory, contractual or other requirements. Likewise, automobile, cyber, employment practices and other liability policies often require covered parties to notify the carrier promptly upon receipt of notice of an event or claim that may give rise to coverage, even though the carrier at that time may not be obligated to tender a defense or coverage at that time. Ensuring appropriate, timely response can play a critical role in promoting defensibility, mitigating liability or preserving coverage or indemnification rights.
For Help With Investigations, Policy Updates Or Other Needs
If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance-related concerns, please contact management attorney and consultant Cynthia Marcotte Stamer.
An attorney Board-Certified in Labor and Employment Law by the Texas Board of Legal Specialization, Ms. Stamer’s work focuses on helping management manage performance, legal compliance and operational risks.
For more than 35 years, Ms. Stamer’s work has advised businesses and business leaders about enhancing the effectiveness and defensibility of their operations using employment and other workforce and services management, employee benefits, compensation, performance management, contracting, Federal Sentencing Guideline and other compliance and risk management, investigations, and other legal and operational tools and solutions. While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others with compliance with federal and state equal employment, compensation, health and other employee benefits, workplace safety, leave, and other labor and employment, privacy and data security, and other laws, advises and defends businesses against labor and employment, employee benefit, compensation, fraud and other regulatory compliance and IRS, Department of Labor, Department of Justice, SEC, Federal Trade Commission, HUD, HHS, DOD, Departments of Insurance, Department of Health, Department of Agriculture and other federal and state regulators.
Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters.
Her work, thought leadership and scholarship on helping organizations manage people, operations and risk have earned her recognition as a Fellow in the American College of Employee Benefit Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law.”
For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see hereor contact Ms. Stamer directly.
Other Helpful Resources & Information
If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources like:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication, click here. If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.
Public support and appreciation for employer-sponsored healthcare continues to run high, according to the results of a national online survey of 1,000 people with employer-provided coverage conducted by the research firm LSG on AHIPA from July 10-19, 2024. The survey results reflect employer-provided health coverage remains an important tool for employee recruitment and retention and widespread opposition to public policy changes that would replace employer-provided coverage with government-provided benefits or tax employer-provided coverage or benefits.
AHIP commissioned the survey to understand the perceptions, priorities, and expectations of consumers with employer-provided coverage about their current coverage and benefits, employers, and public policy impacting their coverage and compare their attitudes against results of a survey conducted in April 2023. LSG reports the survey has a margin of error of +/- 3% and was balanced to national demographics for gender, age, and region. AHIP announced the results of the survey on November 13, 2024.
According to AHIP, 50% of Americans received their health coverage from employer-provided plans. The survey responses revealed:
A growing majority of consumers (75%,+12% since April 2023) are satisfied with their current employer-provided coverage.
66% (+12%) are satisfied with the current health insurance system overall
Comprehensive coverage, affordability, and choice of providers their plans provide are key factors in creating this satisfaction
71% (+12%) feel the quality of their current health plan is high
74% (+6%) prefer to get their coverage through their employer over a federal or state government program
Costs remain a top consumer concern and a leading source of plan dissatisfaction, 66% (+13%) of respondents reported that what they currently pay for their coverage overall is reasonable and helps to lower their health care costs
While unhappy with coverage costs, 63% of respondents identified the comprehensiveness of coverage as a greater priority than affordability (31%).
Benefits most valued by respondents were emergency care (65%), prescription drugs (63%), and preventive care (57%).
88% of respondents reported their health plan covers preventive
services (88%), provides access to top providers (78%), and gives them financial peace of mind if something bad were to happen (75%).
53% of respondents reported feeling employer-provided coverage is effectively meeting children’s mental health needs and 61% reported believing the need for mental health care for children will increase.
67% of respondents reported considering it important for health insurance plans to cover telehealth services
76% of respondents reported believing it’s important for the federal government to maintain the COVID-19 telehealth flexibilities for patients
The survey also reflects the continued value of employer-provided health coverage in attracting and retaining employees. Sixty-one percent of respondents said health coverage plays an impactful role in employee recruitment and 80% reported health coverage was a reason for staying in their current position. Once informed that the average company pays 70-80% of the cost of coverage, a majority of respondents (71%) reported having a more favorable impression of companies that provide their employees with health insurance benefits.
The satisfaction and support from the study reflect likely opposition by workers to changes proposed by some politicians to change the current tax treatment of employer-provided coverage to tax employee health benefits. The survey found a growing majority oppose taxing employee health benefits (58%, +6%), and an even greater majority would be less likely to vote for a lawmaker who supports taxing them (63%).
Review the complete report of survey results here.
If you have questions about health plan design, administration or defense, contact the author of this update, Cynthia Marcotte Stamer.
More Information
We hope this update is helpful. For more information about the these or other legal, management or regulatory concerns, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
Management attorney and operations consultant Cynthia Marcotte Stamer uses a client objective oriented approach to help businesses, governments, associations and their leaders manage people, performance, risk, legislative and regulatory affairs, data, and other essential elements of their operations.
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership. As a part of this experience, Miss Stamer has experience assisting clients with auditing, compliance, investigation and defense SCA, Davis-Bacon, Fair Labor Standards Act and other pay, benefits, compensation and fringe benefit concerns.
A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer’s work throughout her 35 year career has focused heavily on working with government contractors, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends businesses on Guideline Program and other compliance, risk management and other internal and external controls in a wide range of areas and has published and spoken extensively on these concerns.
Ms. Stamer also is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on workforce, compensation, and other operations, risk management, compliance and regulatory and public affairs concerns.
For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.
IMPORTANT NOTICE ABOUT THIS COMMUNICATION
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving, and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
Employers, health plan sponsors and fiduciaries, health care providers and individuals concerned about prescription drug prices and access should carefully follow the rapidly accelerating battle between the Federal Trade Commission (“FTC”) and pharmacy benefit managers (“PBMs”), which threatens to reshape how pharmaceutical products are priced and sold to health plans and consumers.
At the center of the complex pharmaceutical distribution chain that delivers prescription medicines from manufacturers to patients, PBMs generally are vertically integrated organizations that simultaneously serve and regulate health plans and pharmacists and play other roles in the drug supply chain.
This vertical integration allows these six PBMs to wield enormous power and influence over health plans’ and patients’ access to drugs and the prices they pay, as well as pharmacies’ access to prescription drugs and the price and other terms under which pharmacies qualify for health plan coverage or payment for these medications.
PBMs also exert substantial influence over independent pharmacies by imposing contractual terms imposed by PBMs as a condition of accessing medications, covering the pharmacies under health plans contracted with the PBMs, or both.
Mergers and consolidations within the PBM, pharmacy and health benefit industries that brought ownership of the largest PBMs under common ownership with large insurers and retail pharmacies they purport to both manage and work has increased the already significant power of PBMs to use their integration to control these and other aspects of prescription drug availability, access, distribution, and pricing/ Consequently, the sixth largest PMBs -Caremark Rx, LLC; Express Scripts, Inc.; OptumRx, Inc.; Humana Pharmacy Solutions, Inc.; Prime Therapeutics LLC; and MedImpact Healthcare Systems, Inc. – now collectively negotiate and enforce access, coverage, pricing and other key terms and conditions governing the availability, access to, and cost of prescription drugs for hundreds of millions of Americans.
With the consolidation of ownership of large PBMs, payers and pharmacies further tightening these PBMs’ control over prescription drug distribution, pricing, and coverage and prescription drug costs continuing to rise, PBMs and their practices increasingly face scrutiny, challenges and calls for reform by employers and other plan sponsors, health care providers, independent pharmacies, the FTC and other regulators, Congress, state legislatures and regulators, consumers, and others. See Report on Pharmacy Benefit Managers: The Powerful Middlemen Inflating Drug Costs and Squeezing Main Street Pharmacies.
FTC July 2024 Interim Report On 6th Largest PBMS
In response to these and other growing concerns about consolidation, lack of transparency and other potential abuses about the PBM industry and prescription drug costs, the FTC began investigating the PBM industry in 2022. In July 2024, the FTC released its Report on Pharmacy Benefit Managers: The Powerful Middlemen Inflating Drug Costs and Squeezing Main Street Pharmacies (the “FTC Report”) that reports the FTC’s interim findings from its ongoing study of the six largest PBMs – Caremark Rx, LLC; Express Scripts, Inc.; OptumRx, Inc.; Humana Pharmacy Solutions, Inc.; Prime Therapeutics LLC; and MedImpact Healthcare Systems, Inc. use their vertical integration and concentration to inflate drug costs, squeeze Main Street pharmacies and engage in other practices harmful to patients and independent pharmacies.
The FTC Report shares interim findings based on the FTC staff’s review of more than 1,200 public comments to identify predominant areas of concern, initial submissions of internal documents and data from PBM respondents and their affiliates, interviews of various industry experts and participants and review of other public data and information. The FTC Report also discloses that certain PBMS have yet to produce the data and documents required in response to FTC orders issued more than two years ago. While stating its study continues and promising that the FTC will continue efforts to force the PBMs to produce the evidence demanded in the orders, the FTC Report also promises to share regular updates about its progress and findings.
While the investigation continues, the FTC Report shares the FTC’s interim findings that:
The market for pharmacy benefit management services has become highly concentrated, and the largest PBMs are now also vertically integrated with the nation’s largest health insurers and specialty and retail pharmacies;
As a result of this high degree of consolidation and vertical integration, the leading PBMs can now exercise significant power over Americans’ access to drugs and the prices they pay;
Vertically integrated PBMs may have the ability and incentive to prefer their own affiliated businesses, which in turn can disadvantage unaffiliated pharmacies and increase prescription drug costs;
Evidence suggests that increased concentration may give the leading PBMs the leverage to enter into complex and opaque contractual relationships that may disadvantage smaller, unaffiliated pharmacies and the patients they serve;
PBMs and brand drug manufacturers sometimes negotiate prescription drug rebates that are expressly conditioned on limiting access to potentially lower cost generic alternatives in exchange for higher rebates from the manufactures in a manner that may cut off patient access to lower-cost medicines and warrant further scrutiny by the Commission, policymakers, and industry stakeholders.
The FTC Report also shares the FTC’s concern that the six largest PBMs improperly use their integration and market control over 95 percent of all prescriptions filled in the United States:
To profit at the expense of patients and independent pharmacists;
To hike the cost of and overcharge for drugs
To squeeze independent pharmacies that many Americans—especially those in rural communities—depend on for essential care;
To wield enormous power over patients’ ability to access and afford their prescription drugs, allowing PBMs to significantly influence what drugs are available and at what price; and
To impose unfair, arbitrary, and harmful contractual terms that can impact independent pharmacies’ ability to stay in business and serve their communities.
The FTC Report concludes that PBMs’ have an “outsized influence” that comes not only from the expansion of their traditional, middlemen administrative services in processing patients’ pharmacy prescription claims but also from decades of consolidation and vertical integration across the healthcare delivery system where “the largest PBMs have come under common ownership with the largest, most dominant health insurers … [that] operate some of the largest retail, mail order, and specialty pharmacies in the country, which compete with local independent pharmacies. Given these relationships, PBMs and their affiliated entities may have the incentive and ability to engage in steering a growing share of prescription revenues to their own pharmacies through specialty drug classification, self-preferential pricing, and pharmacy contracting procedures to target and control the business operations of pharmacies. While the FTC Report principally focuses on the impact of these changing market dynamics on the operation and vitality of the nation’s pharmacies, the FTC Report also states that initial evidence about PBM and brand pharmaceutical rebating practices “urgently warrant further scrutiny and potential regulation.”
The FTC Report concludes that these interim findings underscore the importance and urgency of scrutinizing the role and influence of PBMs in the nation’s healthcare system, particularly as federal and state governments are the largest purchasers of healthcare.
Express Scripts Sues FTC Demanding Retraction Of FTC Report
Not surprisingly, the PBMs subject to the FTC Report generally have protested the reported findings. On September 17, 2024, CIGNA-owned Express Scripts sued the FTC, demanding the FTC retraction of the FTC Report. In the Express Scripts, Inc. v. FTC complaint, Express Scripts characterizes the FTC Report as “unfair, biased, erroneous, and defamatory.” In the Complaint, Express Scripts alleges:
“According to the Commission’s press release announcing the Report, the Report stems from special orders issued under Section 6(b) of the FTC Act to six PBMs, including Express Scripts, demanding data and information about the PBM industry. But the Report is not an analysis of the data and information produced by the PBMs. Instead, it is seventy-four pages of unsupported innuendo leveled against Express Scripts and other PBMs under a false and defamatory headline and accompanied by a false and defamatory press release. The Commission disregarded the millions of documents and terabytes of data produced and relied instead on unverified comments from the very companies that PBMs negotiate against in order to help lower drug costs. Not surprisingly, those entities are incentivized to point the finger at PBMs for allegedly driving drug costs up, when it is PBMs who are, in fact, bringing drug costs down.”
Charging that the FTC Report “followed prejudice and politics, not evidence or sound economics, and wrongly concluded that PBMs inflate drug costs and harm independent pharmacies” and harmed Express Scripts’ business and reputation by the FTC’s “unlawful, unconstitutional, and arbitrary and capricious conduct and defamatory statements,” the Complaint alleges that the FTC Report “gets nearly everything wrong” as a result of FTC Chair Khan’s and the FTC’s bias against PBMs and failure to consider the evidence before them. For example, the Complaint asserts:
“It falsely accuses Express Scripts and other PBMs of “controlling” access to drugs and drug pricing when it is manufacturers who set drug prices and plan sponsors who decide which drugs to cover for their members.
It attacks Express Scripts for disadvantaging independent pharmacies when the evidence produced shows that on average independent pharmacies not affiliated with PBMs receive higher reimbursements than unaffiliated chain pharmacies, independent pharmacies are profitable, and the number of prescriptions filled at independent pharmacies is increasing.
It falsely claims that Express Scripts is “profiting by inflating drug costs,” including by taking rebates from drug manufacturers in return for putting high cost drugs on formularies when, in truth, the bulk of rebates and fees received by PBMs get passed through to plan sponsors and lower the net cost of drugs to plan sponsors and members. Moreover, Express Scripts prefers drugs with the lowest net cost to its plan sponsors on its largest standard formularies.
It makes the broad-brush claim that the PBMs failed to comply with the Commission’s 2022 6(b) orders, which demanded extensive data and information for production—without identifying who the supposed offenders are—even while Express Scripts had long ago complied with the Commission’s requests, which
the Commission knew and verbally acknowledged before and after issuing its Report. It falsely states that PBMs, including Express Scripts, “profit at the expense of patients by inflating drug costs” when the evidence shows that PBMs compete for the business of plan sponsors by offering lower costs for covered drugs than their competitors. PBMs have low and declining operating margins and any PBM that sought to inflate the cost of covered drugs would quickly lose its clients.
Due to these alleged false conclusions, the Complaint charges that the FTC Report violates federal and state law several times over, including in at least the following ways:
By exhibiting bias against PBMs and prejudgment of the facts, the Report violates Express Scripts’ right to due process under the Fifth Amendment to the U.S. Constitution.
It contains (i) assertions that will predictably be and have been interpreted as conclusions adverse to all PBMs and (ii) false statements unsupported by the record that demonstrate the Commission’s failure to consider the available contrary evidence and render its decision arbitrary and capricious.
It is not in the public interest and therefore exceeds the Commission’s statutory authority under Section 6(f) of the FTC Act.
It is unlawful because Commissioners exercise executive authority while enjoying statutory removal protections in violation of Article II of the U.S. Constitution.
And the Commission’s claim both in the Report and the accompanying press release that PBMs, including Express Scripts, are “inflating drug costs” and “profit by inflating drug costs at the expense of patients,” is false and defamatory.
Claiming that Express Scripts has suffered and continues to financial, business and reputational harm by the FTC Report’s allegedly false statements about its business practices and the insinuation that Express Scripts’ successful efforts to fight for lower prices for plan including being sued in multiple lawsuits invoking the FTC Report as evidentiary support for plaintiffs’ claims and faces multiple demands for information from state regulators and federal legislative committees. Contending these harms “have only just begun and will only be compounded over time,” Express Scripts asks the District Court:
To vacate and require the FTC to set aside the FTC Report;
Make the FTC correct the false statements it has made about PBMs; and
Require the recusal of FTC Chair Khan from further FTC proceedings regarding Express Scripts in light of her evident bias against PBMs, including Express Scripts.
Regardless of how the Express Scripts lawsuit plays out, employers and other health plan sponsors, fiduciaries, third party administrators, insurers, pharmacies, health care providers and individual Americans can expect to see continued challenges and attempts to reform PBMs to address perceived abuses. The direction and specifics of those challenges and changes remain unclear. Since political pressure is likely to significantly influence the ultimate outcome of any reforms, concerned individuals and organizations should carefully monitor and provide input.
Meanwhile, employer and other health plan sponsors and fiduciaries should also anticipate that the FTC Report and similar Congressional and other studies and investigations may increasingly fuel and provide evidence to support participants’ and beneficiaries’ questions and challenges to PBM features and practices within their health plans.
More Information
We hope this update is helpful. For more information about the or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation.
Author of numerous highly regarded works on PBM and other health plan contracting and design, Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.
Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services, data and technology and many other other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.
She also has extensive experience helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.
Author of publications on “Transparent PBM Contracting,” “ACOs, Direct Contracting: Legal & Practical Challenges For Employers, Providers & TPAs,” “The Medicare Advantage Contracting Manual,” “Third Party Administrator (TPA) Contracting Principles and Strategies and a multitude of other highly regarded publications and presentations, Stamer is widely recognized for her thought leadership on PBM and other managed care and health plan contracting and design, and a multitude of other health care, health plan and other health industry matters. In addition, Ms. Stamer contributes her time and leadership to numerous policy, professional, civil and other organizations including service as the, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
The $2.7 million settlement government contractor Insight Global LLC, (“Insight”) is paying to settle a Justice Department (“DOJ”) False Claims Act civil suit for lax cybersecurity shows government contractors now must add possible False Claims Act prosecution to the already substantial and ever-widening potential consequences all organizations and leaders when their organizations experience a cyber incident.
Supplementing the strength and reach of existing cybersecurity laws by using the False Claims Act, federal securities, employee benefit fiduciary responsibility. and other laws as tools to pressure organizations and their leaders to strengthen their cybersecurity compliance and defenses is a key component of the National Cybersecurity Strategy the Administration announced in March, 2023 to battling the ongoing pandemic of cyber incidents. As National Cybersecurity Strategy states, “Continued disruptions of critical infrastructure and thefts of personal data make clear that market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience. … We must hold the stewards of our data accountable for the protection of personal data; drive the development of more secure connected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.
The National Cyber Security Strategy goes on to warn, “We will use Federal purchasing power and grant-making to incentivize security.”
With holding businesses and their leaders accountable a key component of the Federal government’s National Cybersecurity Strategy, government contractors specifically and all businesses and their leaders generally should heed the use of the DOJ’s use of the False Claims Act as another tool in its expanding arsenal for holding businesses experiencing cyber breaches accountable as proof of their own growing imperative to manage their own cyber security and liability in response to exploding strains of cyber threats and liabilities.
Government Contractor False Claims Act Cyber Risk
DOJ’s adoption of the False Claims Act as a tool for imposing liability against government contractors experiencing a cyber breach is part of a broader effort to persuade organizations and their leaders to tighten their cyber security defenses and responses by ratcheting up the liability and other consequences organizations and their leaders face when their organizations experience a cyber incident. The False Claims Act imposes treble damages and penalties on those who knowingly and falsely claim money from the United States or knowingly fail to pay money owed to the United States.
A Civil Cyber-Fraud Initiative announced by DOJ on October 6, 2021 adds potential False Claims Act civil lawsuits by DOJ or private whistleblowers to the already significant and expanding consequences government contractors and grant holders can face for failing to fulfill requirements to properly secure protected health information or other sensitive data as required in their government contracts.
According to DOJ’s May 1, 2024 announcement, Insight will pay $2.7 million to resolve DOJ False Claims Act charges for failing to have adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing under the new of the Settlement shows DOJ is following through on its promise.
$2.7 Million Insight FCA Cyber Settlement
The $2.7 million Settlement settles a whistleblower lawsuit, United States ex rel. Seilkop v. Insight Global LLC, No. 1:21-cv-1335 (M.D. Pa.). Filed under the whistleblower provisions of the False Claims Act that permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds and to receive a share of any recovery, DOJ intervened in the suit. Whistleblower, Terralyn Williams Seilkop, a former Insight Global staff member who worked on the contact tracing at issue, will receive a $499,500 share of the $2.7 million settlement amount.
The lawsuit alleged the Pennsylvania Department of Health hired Insight to provide staffing for COVID-19 contact tracing and paid Insight using federal funds from the U.S. Centers for Disease Control and Prevention. Although keeping personal health information of contact tracing subjects confidential and secure was part on its contractual duties, Insight failed to secure the protected health information. Instead, DOJ claimed, for example, Insight transmitted certain personal health information and/or personally identifiable information of contact tracing subjects in the body of unencrypted emails, stored and transmitted the information using Google files not password protected, making them potentially accessible to the public via internet links and allowed staff to use shared passwords to access that information.
DOJ additionally alleged that from November 2020 through January 2021, Insight managers received complaints from Insight staff that protected health information was unsecure and potentially accessible to the public, but failed to start remediating the issue until April 2021 after deficiencies came to light.
When Insight eventually began remediating these cybersecurity breaches and deficiencies in 2021, the announcement states Insight cooperated with the DOJ investigation of the cause and scope of the incident. It also took steps to remedy cybersecurity deficiencies by strengthening internal controls and procedures, adding more data-security resources and issuing a public notice regarding the scope of the potential exposure and offering free credit monitoring and identity protection services to those affected. FOJ also reports Insight also cooperated with the United States’ investigation.
DOJ’s Insight settlement announcement warns other government contractors of DOJ’s “continuing commitment to ensure that government contractors fulfill their cybersecurity obligations.” Its announcement quotes Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division as stating, “The Justice Department will hold accountable those contractors who knowingly fail to satisfy cybersecurity requirements.”
Meanwhile, Special Agent in Charge Maureen R. Dixon of the Department of Health and Human Services Office of Inspector General (HHS-OIG) is quoted as stating “Contractors for the government who do not follow procedures to safeguard individuals’ personal health information will be held accountable.”
Cyber Risk Implications For Government Contractor & Other Organizations
Potential False Claims Act liability under the DOJ False Claims Act Civil Cyber-Fraud Initiative add additional liability risks for government contractors to already substantial and growing federal and state regulatory, contractual, and civil and criminal liabilities and other consequences that cyber breaches and other cybersecurity weaknesses create for business and other organizations, their health plans and their leaders. Examples of these other exposures that lax privacy, data security, data breach and other cybersecurity practice may create include:
Business operating losses from resulting operational disruptions and damages to customer, business partner, shareholder and public trust;
Federal Sentencing Guidelines organizational criminal liability arising from violations of electronic crime and other federal criminal data privacy and security laws;
Federal Trade Commission Act and state unfair business practices liability for deceiving customers about privacy practices;
Security and Exchange Commission (“SEC”) criminal and civil actions and shareholder lawsuits under the Security and Exchange Act;
Health Insurance Portability & Accountability Act civil monetary penalty and criminal exposures for health plans, health care providers, health care clearinghouses and their business associates;
Employee Benefit Security Act fiduciary liability for health fiduciaries;
Liability for violation of Fair and Accurate Transaction Act, Internal Revenue Code, or other federal privacy or confidentiality laws;
damages and other penalties and judgments arising under state identity theft, data security, privacy and other state statutory, contractual and tort laws; and
More.
These and other constantly emerging exposures show the imperative for government contractors and all other organizations and their leaders to ensure their organizations take adequate, well-documented efforts to protect their systems and data and fulfill all otherwise applicable cybersecurity rules.
With new cyber attacks and strains of cyber liability, emerging constantly, organizations, and their leaders increasingly must change the way they think about and address their own cyber security and other technology, budgets and management. The escalation of cyber incidents and risks necessitates that organizations and their leaders to treat cybersecurity as critical components of their operational and business plans and priorities.
Amid the pandemic of constantly evolving cyber threats, even the most diligent efforts to secure systems and data cannot guarantee the prevention of a breach or other cyber incident. Given this challenge, organizations and their leaders must focus both on taking meaningful steps to adequately secure their systems and data against a cyber breach or incident as well as position their organizations and leaders to defend their actions and mitigate exposures through appropriate strategic planning, documented oversight and risk assessment, monitoring and response of threats and safeguards; preparation and timely response to cyber events using attorney-client privilege and other evidentiary tools to promote the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making.
As the availability of funding can radically impact the effectiveness of these and other risk mitigation efforts when a cyber incident occurs, these preparations also should incorporate insurance and other arrangements to provide for breach investigation funding and response.
If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters, contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
About the Author
Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations,regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for government contractors and other public and private businesses; managed care and other health and life science, insurance, technology, and other performance and data dependent organizations,
A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.
Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.
For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Laws Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.
IMPORTANT NOTICE
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
What Health Plans, Their Fiduciaries, Vendors & Sponsors Should Be Doing Now
Health plans, their fiduciaries, health plan sponsors and insurers, and their administrative and other service providers should move quickly to understand and act to mitigate the exposures likely to arise under the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the claims, notice and fiduciary responsibilities under the Employee Retirement Income Security Act of 1974 (ERISA), state contract, prompt pay and other duties to health care providers or other responsibilities in response to disruptions created by the Blackcat1234 ransomware attack (CH/UHG Attack) experienced by UnitedHealthcare Group (UHG) subsidiary Change Healthcare.
Change Healthcare Ransomware Attack
On February 21, 2024, a ransomware attack executed by the Blackcat1234 ransomware group took control of and shut down the payment, revenue cycle management and related tools and systems of UHG Subsidiary Change Healthcare. Well-known for stealing sensitive data and demanding ransom for not publishing it, and other public and private cybersecurity monitoring and tracking organizations have warned heath care and other system operators to guard against Blackcat1234 and related ransomware attack risks since at least 2022. See, e.g., #StopRansomware: ALPHV Blackcat | CISA.
The Change Health shutdown resulting from the Blackcat1234 ransomware attack has created widespread disruptions to key care authorization, billing and other pharmacy, provider and other plan and provider transactions within health care and health benefit systems nationwide due to the widespread use of the Change Health tools.
Due to the widespread use of the Change Healthcare tools and systems as a financial clearinghouse for connecting pharmacy benefit managers, health care providers, and other key plays and health plans throughout the health care and health benefits industry, the attack has and continues to disrupt key billing, care-authorization, payment and other transactions between health plans, health care payers and pharmacies, physicians and other health care providers and health care payers and their partners across the health care industry.
As UHG has worked to recover from the Change Health attack, the resulting shutdown and disruption to electronic payment and medical claims systems incorporating the compromised Change Healthcare tools create various legal and operational headaches for many health plans and other health care payers by preventing or obstructing the submission and processing of health care claims and other transactions between health care providers and health plans. While UHG works to remediate and restore the operability and security of the Choice Health tools and systems, health plans, and insurers, their fiduciaries, plan sponsors, and fiduciaries should take timely and prudent steps in response to the breach and resulting disruptions to mitigate the exposure of their health plans, and themselves under HIPAA and ERISA.
While most health care providers and health plans expect Change Health and other UHG entities to face potential data breach and breach notification responsibilities and liabilities under HIPAA and other federal and state data privacy and cybersecurity laws, many health plan fiduciaries, sponsors, insurers, and administrative or other service providers have given limited consideration to how the February 21, 2024, cyber event impacted their HIPAA responsibilities and exposures. Guidance published by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) on March 13, 2023, alerts health plans and health insurers, their fiduciaries and plan sponsors, health care providers, health care clearinghouses, and their business associates (covered entities) against overlooking their own potential HIPAA responsibilities arising from the February 21 Choice Health attack or other similar events.
HIPAA requires covered entities and their business associates to protect the privacy and security of protected health information, to have and enforce HIPAA-compliant business associate agreements, to conduct timely documented risk assessments in response to known or foreseeable security threats, and to provide notice of a breach to OCR, affected individuals and for breaches affecting more than 500 individuals.
Under the HIPAA Security Rule, covered entities must conduct documented risk assessments to evaluate and monitor their electronic personal health information (EPHI) and associated systems for potential breaches and other threats that expose EPHA to unauthorized use, access, disclosure, destruction or other compromise.
To fulfill this requirement, the Security Rule requires covered entities and business associates to conduct documented risk assessments impacting their EPHI and to update these risk assessments in response to internal or external events impacting the adequacy of their risk assessments or security safeguards.
While the responsibility of covered entities and business associates to protect EPHI against unauthorized use, access and disclosure from cybercriminals and others receives the most attention, the Security Rule also includes often less discussed responsibility to protect EPHI and related operating systems against destruction or other disruptions from a wide range of threats including ransomware attacks.
OCR guidance makes clear that OCR views safeguarding EPHI against ransomware and other cybersecurity threats as encompassed in this duty. As part of these efforts, OCR and other cybersecurity agencies have recommended among other things that covered entities and business associates:
Routinely take inventory of assets and data to identify authorized and unauthorized devices and software;
Prioritize remediation of known exploited vulnerabilities’
Enable and enforce multifactor authentication with strong passwords;
Close unused ports and remove applications not deemed necessary for day-to-day operations.
Furthermore, when a breach of results in an unauthorized use, access, disclosure or destruction of EPHI, the HIPAA Breach Notification Rule requires covered entities and their business associates to provide timely notification of the breach to subjects of the breached EPHI and OCR, and if the breach affects more than 500 subjects, to the media. Concurrently, the HIPAA Security Rule requires health plans and other covered entities to evaluate through documented risk assessments and take appropriate timely action to update their EPHI security as necessary to respond to breaches, potential breaches and other evolving threats to their EPHI and related systems.
On March 13, 2024, the Office of Civil Rights (OCR) released a “Dear Colleague letter” that warns the February 21, 2024 CH/UHG data breach is likely to trigger HIPAA obligations and investigations for Choice Health and UHG as well as other HIPAA-covered health plans, heath care providers, heath care clearinghouses and business associates. While stating the investigation currently focuses on Change Healthcare and UHC, for instance, the Dear Colleague Letter warns that OCR anticipates that its response to the February 21, 2024 CH/UHG Attack eventually also will include “secondary” investigations of other health plans, health care providers, health care clearinghouses and business associates “tied to or impacted by this attack.”
In light of these anticipated secondary investigations, OCR’s Dear Colleague letter warns health plans, health care providers, health care clearinghouses, business associates to ensure they timely and properly handle their own potential HIPAA responsibilities arising from the CH/UHG Attack. The Dear Colleague letter expressly alerts health plans, health care providers and other covered entities and business associates “that have partnered with Change Healthcare and UHG” in anticipation of OCR’s expected secondary investigations to ensure that their own ability to demonstrate their organization meet all required HIPAA responsibilities including that:
All required “business associate agreements are in place;
All required breach notifications are provided to HHS, affected persons and in the event of a large breach affecting more than 500 individuals, to the media; and
All security and other HIPAA responsibilities are met.
The Dear Colleague Letter also directed covered entities and their business associates to the following previously released OCR resources for assistance in understanding their responsibilities for guarding EPHI against ransomware and other cybersecurity threats:
The OCR HIPAA Security Rule Guidance Material webpage;
OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks;
OCR Webinar on HIPAA Security Rule Risk Analysis Requirement;
HHS Security Risk Assessment Tool;
Factsheet: Ransomware and HIPAA; and
Healthcare and Public Health (HPH) Cybersecurity Performance Goals.
Standing alone, the Dear Colleague Letter makes clear that all covered entities partnered with or impacted by disruptions from the CH/UHG attack need to take documented steps to reevaluate and tighten the adequacy of their existing security safeguards as well as their processes for monitoring and responding to evolving ransomware and other cybersecurity threats in anticipation of becoming the target of potential “secondary” OCR investigations arising from the CH/UHG Attack.
While the Dear Colleague Letter specifically references covered entities and business associates “partnered” with Choice Health, OCR’s previously issued guidance warning all covered entities and their business associates to safeguard their EPHI against ransomware and other cybersecurity threats, strongly suggest that all covered entities and business associates should consider the advisability of reevaluating the adequacy of their own EPHI safeguards in light of the heightened ransomware and other cyber threat illustrated by the CH/UHG Attack. Consequently, all covered entities and business associates partnered with or impacted by the CH/UHG Attack or its resulting distributions specifically, as well as covered entities and business associates generally should work with experienced legal counsel to conduct documented risk assessments of their systems, exposures, responsibilities and risks taking into account these developments as soon as possible in anticipation of complaint or audit driven investigations arising from the Choice Health and other malware events and threats.
ERISA-Covered Health Plan Data Security & Breach Related Fiduciary Duties
In addition to any applicable HIPAA responsibilities, fiduciaries and sponsors of employer or union sponsored health plans subject to the Employee Retirement Income Security Act (ERISA) also should consider whether the CH/UHG Attack or the heightened ransomware and other cyber security threats any additional actions are prudently necessary to protect the health plan data, assets or operations.
ERISA generally requires individuals or entities named as fiduciaries or otherwise possessing functional discretionary authority or responsibility or authority over a plan or its assets (fiduciaries) to act prudently to protect and administer the plan and its assets. Department of Labor Employee Benefit Security Administration (EBSA) guidance published in April, 2021 first officially confirmed its interpretation of ERISA’s duty of prudence as including a duty to utilize prudent cybersecurity safeguards. Since EBSA published this cybersecurity guidance EBSA also has also added cybersecurity inquiries to its plan fiduciary audits. As a result, in addition to complying with HIPAA, ERISA-covered health plan fiduciaries and sponsors also should be prepared to demonstrate plan fiduciaries acted prudently to comply with HIPAA as well as the following actions to safeguard health and other employee benefit plan data and systems against cybersecurity threats:
Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.
In light of this OCR and EBSA guidance, health plan sponsors, fiduciaries and vendors and other HIPAA covered entities and business associates are urged to take documented steps to audit and strengthen as needed their safeguards against hacking and other cybersecurity threats including:
In the case of any health plan or health plan vendor, taking well documented steps to assess and tighten as necessary their health plan systems and data security to meet or exceed the recommendation outlined in the EBSA cybersecurity guidance or otherwise necessary to prudently guard their plans and plan data and systems against cybersecurity threats.
Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.
Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.
Furthermore, while the preemption provisions of ERISA generally insulate health plans and their sponsors from responsibility or liability for complying with state insurance, data security, breach notification or other state law cybersecurity and cyber breach and breach notification laws and rules, health insurers and other health plan service providers generally remain subject to these state law requirements. Consequently, health insurers, administrative service providers and other health plan vendors also should act promptly to evaluate and ensure their fulfillment of all applicable cybersecurity and data breach mandates under relevant state law.
Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards. Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations and the Employee Benefit Security Administration recently has issued guidance recognizing prudent data security practices as part of the fiduciary obligations of health plans and their fiduciaries.
Finally, health plans and other covered entities are reminded that appropriate strategic planning and use of attorney-client privilege and other evidentiary tools can critically impact the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making. Because HIPAA, EBSA and other rules typically require prompt investigation and response to known or suspected hacking or other cybersecurity threats, health plans and other covered entities or business associates should seek the assistance of experienced legal counsel to advise and assist in these activities to understand the potential availability and proper use of these and other evidentiary rules as part of the compliance planning process as well as to prepare for appropriate use in the event of a known or suspected incident to avoid unintentional compromise of these protections.
ERISA & Other Risks From Untimely Timely Acceptance & Processing of Health Plan Eligibility & Benefit Provisions
Since Change Health shut down its tools and systems CH/UHG Attack has created and continues to cause nationwide disruptions in the ability of pharmacy, physician and other health care providers to submit, and health plans and insurers to receive and process a wide range of health care billing, claims and other transactions because of the widespread integration and use of Choice Health tools in systems health care providers and payers use for the submission, receipt, and processing of health care provider eligibility, billing and other health benefits.
Along with the liabilities and headaches that the ransomware attack and resulting disruptions create for Choice Healthcare and UHG, delays and other disruptions in the handling of health benefit eligibility, claims processing, notifications and payment by health plans and their administrative services providers arising from can create a host of additional liability headaches health plans, health insurers, their fiduciaries and administrative services providers in addition to those arising directly from the HIPAA and other cybersecurity breach itself.
For ERISA-covered health plans, ERISA generally holds health plans and their fiduciaries accountable for the prudent, timely administration of health plan eligibility, claims and other administrative functions in accordance with the terms of the plan and within the applicable time frames and other requirements of ERISA’s reasonable claims procedure and adverse benefit determination rules. Health plans and their ERISA plan administrators generally must receive and process claims transactions required by the adverse claim determination regulations and provide participants or beneficiaries with detailed written notifications for any claims not processed and paid within the relevant 72-hour, 15-day or 30-day time period specified by the adverse claim determination rules. Noncompliance with these requirements both undermines the defensibility of the health plan’s denial of coverage and subjects the plan administrator to liability for EBSA penalties and/or discretionary awards of penalties plus attorneys’ fees and other costs of enforcement to plan participants or beneficiaries for failures to deliver timely notification of the denial. To the extent that EBSA or a court determines that the failure to timely and appropriately process and pay benefits resulted from a lack of prudence or other breach of ERISA fiduciary duties, fiduciaries are at risk for incurring personal liability for actual damages to the plan or its participants plus attorneys’ fees and other costs of enforcement; EBSA penalties for engaging in a breach of fiduciary duty under ERISA section 502(l); or both.
Beyond these ERISA-related risks, delays in processing and payment of health care provider claims also create potential additional liability for health insurers, health plans and their administrators to the extent the disruptions prevent the timely payment and processing of health benefit claims in violation of health care provider rights under managed care or other provider contracts, prompt pay and surprise billing or other provider legal rights. Unlike member claims assigned to providers, ERISA generally does not preempt these nonderivative provider rights and claims or the additional state law damages, penalties or other remedies arising under state law against health insurers, health plans and plan administrators found to violate these rules. Consequently, delays in payments to providers also could substantially increase the costs and liabilities that health insurers, health plans, their fiduciaries, administrators, and employers and other sponsors obligated under the plan terms or vendor contracts to pay these costs.
In light of these and other potential risks, health insurers and health plans, their employer, union and other sponsors, fiduciaries, administrative services providers and other vendors should act quickly to investigate and ensure proper management of the fallout from the CH/UHG Attack and the heightened ransomware and other cybersecurity threats it represents.
Along with working with qualified legal counsel to address the potential HIPAA, ERISA and other responsibilities the health plan or insurer, its fiduciaries, service providers and sponsor bear from the CH/UHG Attack and other cyber risks, most parties also will want to evaluate obligations to notify cybersecurity and other liability insurers, seek indemnification from Choice Healthcare, UHG or other potentially culpable parties and evaluate other sensitive data and strategies for mitigation of their health plan and their own resulting liabilities, costs and other consequences.
If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters, contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
About the Author
Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.
A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.
Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.
For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Laws Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
Health plans, health care providers and health care clearinghouses (“Covered Entities”) treat the Department of Health and Human Service Office of Civil Right (“OCR”) announcement of its 46th enforcement action under the Health Insurance Portability & Accountability Act (“HIPAA”) Right of Access Rule as a warning to confirm their own organization’s timely delivery of records and other compliance with the Rule. Coupled with OCR’s Right of Access Rule settlement agreement with United Health Insurance Group last August, the latest settlement agreement sends a strong message to health plans and other Covered Entities about the risks of failing to deliver protected health information as required by the Right of Access Rule.
HIPAA Right of Access Rule
The HIPAA Right of Access Rule guarantees individuals the right to access a broad array of health information about themselves maintained by or for health plans and other Covered Entities. Under the Right of Access Rule, Covered Entities generally must provide individuals or their personal representatives copies or other acceptable access to the individual’s protected health information in a Covered Entity’s “designated record set” for a reasonable cost as soon as possible and within 30 days of receiving a request for a reasonable cost. However, the Right of Access Rule does not grant any right for an individual to access protected health information that is not part of a designated record set because the information is not used to make decisions about individuals.
The request for protected health information triggering the duty for a Covered Entity to provide access to the protected health information may come from the individual who is the subject of the protected health information or from the “personal representative” of that individual. When considering a request for protected health information from an individual other than the subject of the protected health information, health plans and other Covered Entities also must use care to verify that the requesting party, in fact, qualifies as the individual’s “personal representative” as defined for purposes of HIPAA.
Once a health plan or other Covered Entity receives a request protected health information from the individual or his personal representative, the Right of Access Rule requires the Covered Entity to provide access to all requested protected health information within any “designated record set” within 30 days unless the requested information falls within one of two exceptions to the Rule.
For this purpose, a “designated record set” generally is defined at 45 CFR 164.501 as any item, collection, or grouping of information that includes protected health information that is maintained, collected, used, or disseminated by or for a Covered Entity that comprises the:
Medical records and billing records about individuals maintained by or for a covered health care provider;
Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
However, the Right of Access Rule only requires the delivery of protected health information that is part of a designated record set. It does not require health plans or other Covered Entities to provide protected health information that the Covered Entity does not use to make decisions about the individual, since this information is not considered part of a designated record set. Examples of such records of protected health information might include protected health information in certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records the Covered Entity uses for business decisions more generally rather than to make decisions about the subject individual. Before refusing to provide information not part of a designated record set, however, the health plan or other Covered Entity does not also use or possess that information for making decisions about the subject individual or that disclosure is not otherwise required under another law. For example, even if the Right of Access Rule does not require disclosure of protected health information because it is not considered part of a designated record set, a health plan still be required to disclose the record if required by the adverse benefit determination rules of the Patient Protection and Affordable Care Act (“ACA”), claims and appeals rules of the Employee Retirement Income Security Act or other applicable law, regulation or another law.
Even where the information falls within the definition of a designated record set, however, HIPAA expressly excludes two categories of information from the Right of Access right:
Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session maintained separately from the rest of the patient’s medical record as described in 45 CFR 164.524(a)(1)(i) and 164.501.
Information complied in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding described under 45 CFR 164.524(a)(1)(ii).
However, it is critical that Covered Entities not overestimate the reach of either of these two exceptions. The exception only applies to the narrow range of records meeting the requirements of the exception. The underlying protected health information from the individual’s medical or payment records or other records used to generate the above types of excluded records or information remains part of the designated record set and is subject to access by the individual under the Right of Access Rule. Providers and other Covered Entities should use care to comply with the Right of Access Rule without providing more information than allowed as HIPAA liability can arise from failing to timely deliver access to all protected health information required by the Right of Access Rule or from sharing protected health information with an individual who is not either the individual or personal representative when the disclosure otherwise is not allowed by HIPAA To help negotiate these requirements, Covered Entities should become familiar with and process all requests for protected health information following the latest Right of Access Rule guidance. When in doubt, Covered Entities should seek the advice of experienced legal counsel within the scope of attorney-client privilege about proper fulfillment of their obligations under the Right of Access Rule in coordination with any other applicable responsibilities the Covered Entities has to provide access, disclose, or prevent disclosure of the requested information under otherwise applicable federal or states laws and regulations, ethical or other professional standards, contractual or other medical, insurance, financial, employee benefit or other rules relating to the requested records.
Optum Settlement 46th Right Of Access Enforcement Settlement
The Optum settlement resulted from OCR’s investigation of six complaints in the Fall of 2021 that Optum violated the Right of Access Rule by failing to provide timely access to medical records when requested by an adult patient or by the parents of minor patients.
In February 2022, OCR initiated investigations of these Right of Access complaints. The investigation revealed that patients received their requested records between 84 and 231 days after submitting their respective requests. Since the Right of Access Rule requires that Covered Entities deliver the records no later than 30 days from receiving the individual’s requests, those timeframes fell well outside of the deadline for delivery required by the HIPAA Right of Access Rule. Accordingly, OCR concluded that Optum’s failure to provide timely access to the requested medical records was a potential violation of HIPAA.
Under the Resolution Agreement reached with Optum, Optum agreed to pay $160,000 to OCR as well as implement a corrective action plan that requires workforce training, reporting records requests to OCR, and reviewing and revising as necessary its right of access policies and procedures to provide timely responses to requests. Under the plan, OCR will monitor Optum Medical Care for one year.
Right Of Access Remains OCR Investigation & Enforcement Priority
While health care providers are the most common target of OCR’s Right Of Access complaints and enforcement, OCR’s August, 2023 Right of Access settlement against United Health Insurance Group (“UHIG”) confirms health plans also are targets. That settlement arose from OCR’s investigation of a March 2021 complaint alleging that UHIC did not respond to an individual’s request for a copy of their medical record. The investigation showed the individual first requested a copy of their records on January 7, 2021, but did not receive the records until July 2021, after OCR initiated its investigation. Movrover, the March, 2021 complaint was the third complaint OCR received from the complainant against UHIC alleging failures to respond to his right of access. These findings led OCR to conclude UHIC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. In OCR’s announcement of UHIG’s agreement to pay $80,000 to resolve these potential charges, OCR Director, Melanie Fontes Rainer warned, “Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.” See, UnitedHealthcare Pays $80,000 Settlement to HHS to Resolve HIPAA Matter over Patient Medical Records Request.
Manage Right of Access Rule Exposure
Despite OCR’s warnings about the responsibility to comply with the Right of Access Rule, many health plans and other Covered Entities continue to violate the Rule. OCR has and continues to receive thousands of Right of Access Rule complaints each year. In response to these persistent compliance issues, OCR continues to make enforcement of the Right of Access Rule a key enforcement priority through its Right Of Access Initiative.
In light of OCR’s commitment to continue to investigate and enforce compliance with the Right of Access Rule, health care providers and other Covered Entities and their business associates are urged to review their existing practices for receiving and processing patient record requests to confirm their own organizations’ compliance with the Right of Access Rule and other applicable federal and state statutory regulatory and contractual requirements. To reduce risks of violations, all health care providers and other Covered Entities should seek assistance from experienced legal counsel within the scope of attorney-client privilege to audit their past and current Right of Access Rule compliance for any necessary or advisable steps to prevent future violations and mitigate potential liabilities arising from potential past or future violations of the Right of Access Rule. Aside from confirming documented timely responses to past requests for protected health information, among other things, most Covered Entities will want to consider:
Verifying that their current policies, privacy practices notices, training and other materials are updated to comply with all applicable policies and properly identify and provide current contact information for the Privacy Officer or other party responsible for receiving and responding to protected health information requests;
Appropriate procedures are in place to ensure that the Covered Entity can produce required documentation showing the individuals are appropriately notified of the Right of Access and other HIPAA rules, and that the Covered Entity captures the necessary documentation to show its receipt of all requests, and timely investigation and response to such requests;
Appropriate and documented processes for collecting, investigating, or resolving any potential concerns, complaints, or other issues, their evaluation, and resolution;
Appropriate workforce, business associates, and other policies, training, oversight, and enforcement to require and enforce compliance with applicable laws and policies; and
Appropriate processes, procedures, and training to ensure that staff fully understands and complies with both the specific processes and procedures of the Covered Entity for complying with the Right of Access Rule, as well as related procedures necessary to manage risks and responsibilities arising under verification of identity, personal representative, disclosure, recordkeeping or other HIPAA’ rules; medical, insurance, financial, or other data or privacy; licensure and market conduct; civil rights and nondiscrimination; fiduciary; licensure; marketing or other rules.
Aside from the direct exposures for these and other HIPAA violations arising under HIPAA, health plans, their fiduciaries, insurers, plan sponsors and administrators should keep in mind that the Employee Benefit Security Administration views potential data breaches and other HIPAA violations as a potential source of fiduciary liability under the Employee Retirement Income Security Act.
While involving outside consultants or other service providers generally is valuable if not required to conduct some of these tasks, Covered Entities are encouraged to use experienced outside legal counsel to help plan, conduct, evaluate and decide, and implement responses to findings from these compliance and risk management activities both to benefit from legal counsel’s substantive legal expertise and experience and to take advantage of the opportunity to conduct sensitive discussions within the protection of attorney-client privilege or other evidentiary rules. Experienced outside legal counsel can guide Covered Entities about the best way to work with consulting and other vendors to maximize these benefits. Where legal advice is provided to health plan fiduciaries, health plans, their fiduciaries, insurers, sponsors, and service providers also should keep in mind that advice and work product performed on behalf of a health plan or plan fiduciary may not enjoy the same protection against discovery under attorney-client privilege and work product rules.
For More Information
We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.
A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.
Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.
For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
$115 is the fee that health plans participating in the Independent Dispute Resolution (“IDR”) process required by the No Surprises Act (the “NSA”) to resolve disputes with health care providers, facilities, and providers of air ambulance services (“providers”) over the amount the health plan will pay the provider for out-of-network health care or items for because the health plan and provider cannot reach agreement about the appropriate amount outside the IDR process will be required to pay disputes initiated on or after February 21, 2023 under a new final rule scheduled for publication by the of Health and Human Services (“HHS”), Labor (“DOL”) and Treasury (“Treasury”) (collectively the “Departments”) on December 21, 2023.
The Departments establishment of the IDR fee for post-February 20, 2025 disputes and their previous December 15, 2023 announcement of the full reopening of the IDR portal for all dispute categories are part of the Departments’ ongoing response to the August 3, 2023 Federal District court ruling in Texas Medical Association, et al. v. U.S. Department of Health & Human Services, et al., No. 6:23-cv-00059-JDK (TMA IV), which vacated portions of the previous guidance that the Departments previously adopted to establish the IDR process and the administrative fee amount for the Federal IDR process for disputes initiated during the calendar year beginning January 1, 2023.
Post February 22, 2024 IDR Fees
On December 18, 2023, the Departments released an advance copy of the final rule (the “Rule”) setting the fees the NSA requires both the health plan or issuer and a health care provider, facility, or air ambulance services provider (the “parties”) when the parties must use the NSA Federal Independent Dispute Resolution (IDR) process to set the amount a health plan must pay the provider for out-of-network medical care or items because the plan and provider cannot agree on an appropriate payment amount for disputes initiated on or after the date the Rule is published in the Federal Register. Since the Rule is scheduled for publication in the Federal Register on December 21, 2023, the new fee will apply to disputes initiated after February 20, 2023.
In response to the TMA IV ruling, the Rule amends existing regulations to provide that the Departments going forward will determine the administrative fee charged by the Departments to participate in the Federal IDR process, and the ranges for certified IDR entity fees for single and batched determinations, through annual notice and comment rulemaking, rather than in guidance published annually. The preamble to the final rule also sets forth the methodology used to calculate the administrative fee and the considerations used to develop the certified IDR entity fee ranges.
Following this new process, the Rule also finalizes an administrative fee amount of $115 per party and finalizes a certified IDR entity fee range of $200-$840 for single determinations and $268-$1,173 for batched determinations for disputes initiated on or after February 21, 2023.
Interested parties can review the Rule here and the Departments Fact Sheet on the Rule here.
IDR Portal Reopened December 15, 2023
The Rule establishing the IDR fee for disputes initiated after February 20, 2024 follows the Departments’ December 15, 2023 announcement of their reopening of the IDR portal for processing all health benefit disputes covered by the NSA between providers and payers.
As part of its provisions to protect patients from “surprise bills” or out-of-network services covered by the NSA, the NSA establishes rules and procedures for providers and payers to determine the appropriate out-of-network payment rate for out-of-network services received by patients enrolled in covered payer programs. Where payers and providers cannot agree about the appropriate payment rate using other NSA procedures, the IDR portal is the online system established under the NSA for disputing payers and health care providers arrange for a certified IDR entity to resolve disagreements about the appropriate out-of-network payment rate for items and services subject to the surprise billing protections in the NSA through a process in which the certified IDR entity reviews offers made by each disputing party along with supporting information about the dispute. Once established under the NSA, payers are required to pay providers the appropriate payment rate for the covered out-of-network services provided to the member patient and the provider is prohibited from balance billing charges in excess of the appropriate payment rate for those services. The Departments previously suspended the operation of the IDR portal earlier this year after a federal court ruled that rules adopted by the Departments implementing the NSA violated the NSA.
In connection with the reopening of the IDR Portal, the Departments also announced the following extensions of the applicable IDR deadlines for the initiation of new batched disputes and new single disputes involving air ambulance services, resubmission of disputes determined by certified IDR entities to be improperly batched, and selection or reselection of a certified IDR entity.
Parties for whom the IDR initiation deadline under applicable regulations fell on any date between August 3, 2023 and December 15, 2023 will have until the 20th business day after the Federal IDR portal reopens, which is January 16, 2024, to initiate a new batched dispute or a new single dispute involving air ambulance services. Parties for whom the IDR initiation deadline falls between December 16, 2023 and January 15, 2024 will also have until January 16, 2024 to initiate a batched or air ambulance dispute. Parties whose initiation deadline falls on January 16, 2024 or after will have the usual 4 business days after the end of the Open Negotiation Period, or if the dispute is subject to the 90-calendar-day suspension period following a payment determination, the usual 30 business day period, to initiate a batched or air ambulance dispute in the Federal IDR portal.
For batched disputes and single disputes involving air ambulance services initiated under extensions of deadlines after the Federal IDR portal reopens, the deadline for the parties to jointly select a certified IDR entity will be 10 business days after initiation.
For disputing parties that were engaged in certified IDR entity selection for batched disputes when the Federal IDR portal temporarily closed, the deadline for parties to jointly select a certified IDR entity will be 10 business days after the Federal IDR portal reopens, which is December 29, 2023.
An initiating party that has received a notification from a certified IDR entity that a dispute initiated before August 3, 2023 was improperly batched will have one opportunity to resubmit the improperly batched items and services for reconsideration within 10 business days of being notified by the certified IDR entity, provided that the initiating party’s 4-business-day period to resubmit the batched dispute expired between August 3 and August 9, 2023.
The deadline to submit fees and offers will remain 10 business days after certified IDR entity selection.
Disputing parties with batched disputes that were impacted by the temporary suspension of use of the notice of offer form will be granted an additional 10 business days to submit offers, as communicated to impacted disputing parties by email from the Federal IDR Inbox.
The deadline extensions announced December 15, 2023 supplement extensions the Departments previously announced in November, 2023. On November 22, 2023, the Departments used their statutory authority (Internal Revenue Code Section 9816(c)(9), ERISA Section 716(c)(9), and PHS Act Section 2799A-1(c)(9)) to grant extensions in the following circumstances:
Disputing parties may request additional time, beyond the current business day deadline, to respond to the certified IDR entity’s requests for additional information. The Departments instructed certified IDR entities to grant such requests through January 16, 2024.
Certified IDR entities may provide parties, upon request, an additional 10 business days after the original offer deadline to submit an offer. Certified IDR entities may provide parties this additional time, as needed, through January 16, 2024.
On November 29, 2023, the Departments also announced another extension of the timeline for disputing parties to select a certified IDR entity. Under this extension, disputing parties will have 10 business days to select a certified IDR entity for all disputes through January 16, 2024. This extension will be provided automatically and does not require a request by disputing parties.
The Departments already announced the November 22, 2023 and November 29, 2023 extensions until January 16, 2023 for new single and bundled disputes and these extensions will persist for all disputes until January 16, 2023.
In connection with their full reopening of the IDR portal, the Departments renewed prior reminders to parties accessing or using the IDR portal to clear their computer’s cache or open the Federal IDR initiation web forms in a private or incognito window to see all the new features at least once a week to ensure access to the most up-to-date version of the initiation form as the Departments continue to implement Federal IDR web forms to accommodate guidance-related and system enhancements. Users failing to follow this recommendation risk additional follow-up with certified IDR entities or system errors.
We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.
A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.
Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.
For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
The No Surprises Act (“NSA”) Federal Independent Dispute Resolution (“IDR”) portal now is reopened for processing all health benefit disputes covered by the NSA between health care providers, facilities, and providers of air ambulance services (“providers”), and group health plans, health insurance issuers, and Federal Employee Health Benefits Program carriers (“payers”) (collectively, “disputing parties”). The December 15, 2023 announcement of the reopening of the IDR portal by the Departments of Health & Human Resources, Labor and Treasury (“Departments”) for all types of NSA-covered claims allows dispute resolution processes central to the administration of the NSA’s protections for health plan members against “surprise” balance bills for covered out-of-network services from health care providers including air ambulance.
As part of its provisions to protect patients from “surprise bills” or out-of-network services covered bu the NSA, the NSA establishes rules and procedures for providers and payers to determine the appropriate out-of-network payment rate for out-of-network services received by patients enrolled in covered payer programs. Where payers and providers cannot agree about the appropriate payment rate using other NSA procedures, the IDR portal is the online system established under the NSA for disputing payers and health care providers arrange for a certified IDR entity to resolve disagreements about the appropriate out-of-network payment rate for items and services subject to the surprise billing protections in the NSA through a process in which the certified IDR entity reviews offers made by each disputing party along with supporting information about the dispute. Once established under the NSA, payers are required to pay providers the appropriate payment rate for the covered out-of-network services provided to the member patient and the provider is prohibited from balance billing charges in excess of the appropriate payment rate for those services. The Departments previously suspended the operation of the IDR portal earlier this year after a federal court ruled that rules adopted by the Departments implementing the NSA violated the NSA.
In connection with the reopening of the IDR Portal, the Departments also announced the following extensions of the applicable IDR deadlines for the initiation of new batched disputes and new single disputes involving air ambulance services, resubmission of disputes determined by certified IDR entities to be improperly batched, and selection or reselection of a certified IDR entity.
Parties for whom the IDR initiation deadline under applicable regulations fell on any date between August 3, 2023 and December 15, 2023 will have until the 20th business day after the Federal IDR portal reopens, which is January 16, 2024, to initiate a new batched dispute or a new single dispute involving air ambulance services. Parties for whom the IDR initiation deadline falls between December 16, 2023 and January 15, 2024 will also have until January 16, 2024 to initiate a batched or air ambulance dispute. Parties whose initiation deadline falls on January 16, 2024 or after will have the usual 4 business days after the end of the Open Negotiation Period, or if the dispute is subject to the 90-calendar-day suspension period following a payment determination, the usual 30 business day period, to initiate a batched or air ambulance dispute in the Federal IDR portal.
For batched disputes and single disputes involving air ambulance services initiated under extensions of deadlines after the Federal IDR portal reopens, the deadline for the parties to jointly select a certified IDR entity will be 10 business days after initiation.
For disputing parties that were engaged in certified IDR entity selection for batched disputes when the Federal IDR portal temporarily closed, the deadline for parties to jointly select a certified IDR entity will be 10 business days after the Federal IDR portal reopens, which is December 29, 2023.
An initiating party that has received a notification from a certified IDR entity that a dispute initiated before August 3, 2023 was improperly batched will have one opportunity to resubmit the improperly batched items and services for reconsideration within 10 business days of being notified by the certified IDR entity, provided that the initiating party’s 4-business-day period to resubmit the batched dispute expired between August 3 and August 9, 2023.
The deadline to submit fees and offers will remain 10 business days after certified IDR entity selection.
Disputing parties with batched disputes that were impacted by the temporary suspension of use of the notice of offer form will be granted an additional 10 business days to submit offers, as communicated to impacted disputing parties by email from the Federal IDR Inbox.
The deadline extensions announced December 15, 2023 supplement extensions the Departments previously announced in November, 2023. On November 22, 2023, the Departments used their statutory authority (Internal Revenue Code Section 9816(c)(9), ERISA Section 716(c)(9), and PHS Act Section 2799A-1(c)(9)) to grant extensions in the following circumstances:
Disputing parties may request additional time, beyond the current business day deadline, to respond to the certified IDR entity’s requests for additional information. The Departments instructed certified IDR entities to grant such requests through January 16, 2024.
Certified IDR entities may provide parties, upon request, an additional 10 business days after the original offer deadline to submit an offer. Certified IDR entities may provide parties this additional time, as needed, through January 16, 2024.
On November 29, 2023, the Departments also announced another extension of the timeline for disputing parties to select a certified IDR entity. Under this extension, disputing parties will have 10 business days to select a certified IDR entity for all disputes through January 16, 2024. This extension will be provided automatically and does not require a request by disputing parties.
The Departments already announced the November 22, 2023 and November 29, 2023 extensions until January 16, 2023 for new single and bundled disputes and these extensions will persist for all disputes until January 16, 2023.
In connection with their full reopening of the IDR portal, the Departments renewed prior reminders to parties accessing or using the IDR portal to clear their computer’s cache or open the Federal IDR initiation web forms in a private or incognito window to see all the new features at least once a week to ensure access to the most up-to-date version of the initiation form as the Departments continue to implement Federal IDR web forms to accommodate guidance-related and system enhancements. Users failing to follow this recommendation risk additional follow-up with certified IDR entities or system errors.
We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.
A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.
Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.
For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
A newly-announced settlement agreement and corrective action plan (the “Settlement”) between a prominent New York academic medical center and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (“OCR”) arising from disclosures and access allowed a reporter covering the COVID-19 pandemic warns health care providers, health plans, healthcare clearinghouses (“covered entities”), their business associates and workforce members (collectively, “HIPAA entities”) to prevent their organizations and workforce members not to share protected health information (“PHI”) or allow reporters or other media to access patients or PHI without first obtaining the legally required patient authorizations as well as evaluate their own organization’s potential exposure to OCR enforcement from known or suspected unauthorized disclosures of PHI by their own organizations or workforce during the COVID-19 pandemic or other events over the past two years.
While the Settlement involved a health care providers, health plans and other HIPAA entities also are subject to the same HIPAA requirements to prevent unauthorized photography, videos, or other sharing or disclosure of participant or other PHI to media in interviews or other media interactions or by workforce members, business associates or other third parties. Furthermore, since the Employee Benefit Security Administration now views HIPAA compliance and other prudent steps to protect PHI and other sensitive health information as part of fiduciaries and plan administrator’s ERISA compliance obligations, the management of these and other HIPAA obligations also is critical to ERISA compliance. Accordingly, health plans and their fiduciaries, administrators, and sponsors should confirm their continued compliance in light of the insights provided by the Settlement and related OCR guidance.
HIPAA-Compliant Authorization Required Before Media Access To Patients Or Patient Information
The HIPAA Privacy Rule prohibits SJMC and other HIPAA entities from disclosing any patient’s PHI unless::
The individual who is the subject of the information (or the individual’s personal representative) authorizes the disclosure in writing in the form required by the Privacy Rule; or
The Privacy Rule otherwise expressly permits or requires the disclosure.
OCR guidance makes clear that these prohibitions continue to apply when health care providers or other HIPAA entities are dealing with have print, television, or other media reporters.
SJMC Settlement
The Settlement between OCR and St. Joseph’s Medical Center (“SJMC”) resolves potential OCR charges that SJMC violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule by allowing an Associated Press (“AP”) reporter to access, photograph, and review clinical information of three COVID-19 patients without appropriate HIPAA authorization. Although the dated documents governing the Settlement reflect the parties reached the Settlement Agreement in August, OCR only made the Settlement public on November 20, 2023.
The OCR investigation that prompted the settlement began shortly an AP article about SJMC’s response to the COVID-19 public health emergency containing photographs and information about three COVID-19 patients came to OCR’s attention. The nationally distributed article included pictures of the three patients as well as details about the patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, treatment plans, and other PHI.
OCR determined from the investigation that SJMC allowed the AP reporter to observe and access clinical information of three patients receiving treatment for COVID on April 20, 2020 without first obtaining the necessary patient authorization required by HIPAA and that the disclosures were not otherwise allowed by any other exception to the Privacy Rule.
To avoid potentially much larger civil monetary penalties authorized by HIPAA, SHMC entered into the Settlement under which it agreed to pay $80,000 to OCR and agreed to develop written policies and procedures and train its workforce to comply with the HIPAA Privacy Rule. Under the Settlement, OCR also will monitor SHMC’s HIPAA compliance for two years.
Prior OCR Enforcement & Guidance Warned HIPAA Entities About Media Disclosures
OCR guidance and enforcement actions alerted SJMC and other HIPAA entities of their HIPAA responsibility not to disclose or allow access by the media or other third parties long before SJMC allowed the media access and disclosures that resulted in the new Settlement.
2013 Shasta Regional Medical Center Enforcement
Shasta Regional Medical Center (“SRMC”) holds the distinction of being the first covered entity punished for wrongfully disclosing PHI to the media. Under a resolution agreement OCR announced on June 14, 2013, OCR required SRMC to pay OCR $275,000 and implement a series of corrective actions for using and disclosing to the media PHI of a patient while trying to perform public relations damage control against accusations reported in the media that SRMC had engaged in fraud or other misconduct when dealing with the patient. That SRMC resolution Agreement followed an OCR investigating a January 4, 2012 Los Angeles Times article report that two SRMC senior leaders had met with media to discuss medical services provided to a patient. OCR’s investigation indicated that SRMC failed to safeguard the patient’s PHI from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR’s review also revealed senior management at SRMC impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce. Further, SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy.
2016 NY-Presby Resolution Agreement & OCR Media Guidance
OCR’s next warnings to covered entities about their HIPAA responsibilities when dealing with the media came in 2016, when OCR concurrently announced a $2.2 million settlement with New York-Presbyterian Hospital and published its 2016 Frequently Asked Question (“Media FAQ”) addressing the obligation to comply with HI)PAA when dealing with the media.
According to the NY-Presby Resolution Agreement, OCR’s investigation revealed that NY-Presbyterian “blatantly” violated HIPAA when it allowed ABC film crews and staff virtually unfettered access to its health care facility. OCR says the access NY-Presbyterian allowed ABC effectively created an environment where patients PHI could not be protected from impermissible disclosure to the ABC film crew and staff filming the episode. While the Resolution Agreement reflects allowing the filming and other access to ABC without prior HIPAA-compliant authorization from patients in the facility itself violated HIPAA, OCR also particularly found “egregious” the facility allowing ABC film crews and staff to film a dying patient and another patient in significant distress without first obtaining a HIPAA-compliant authorization from each of those patients and even more so that NY-Presbyterian failed stop the filming even after a medical professional urged the crew to stop.
Based on its investigation, OCR charged NY-Presbyterian with violating 45 C.F.R. §§ 164.502(a) and 164.530(c) by:
Impermissibly disclosing the PHI of two identified patients to the film crew and other staff of “NY Med;”
Failing appropriately and reasonably to safeguard its patients’ PHI from disclosure during the filming of “NY Med” on its premises; and
Failing to implement policies, procedures, and practices to protect the privacy of the filming of the television show.
OCR collected $2.2 million from New York-Presbyterian Hospital as the required settlement payment under that resolution agreement.
2016 Media FAQ Guidance
Coincident with its announcement of the NYPH Settlement, OCR published the 2016 Media FAQ addressing HIPAA entities’ responsibilities when dealing with the media that outlined its interpretation of HIPAA as requiring HIPAA entities to protect patients and their PHI against unauthorized filming, photography, observation, and other access by news or other media or even other staff, patients or visitors.
Among other things, the Media FAQ states that HIPAA prohibits health care providers and other HIPAA entities from inviting or allowing media personnel into treatment or other areas where patients or patient PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise making PHI accessible to the media without prior written authorization from each patient or other subject of the PHI who is or will be in the area or whose PHI otherwise will be accessible to the media except in a very limited set of circumstances set forth in the Media FAQ.
The Media FAQ also states, “It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation, or voice alteration software) for whom authorization was not obtained, because the HIPAA Privacy Rule does not allow media access to the patient’s PHI, absent an authorization, in the first place.
In addition, the Media FAQ states that a health care provider also must ensure that reasonable safeguards are in place to protect against impermissible disclosures or to limit incidental disclosures of other PHI that may be in the area but for which authorization has not been obtained.
Concerning the limited circumstances when a health care provider or other HIPAA entity or business associate may disclose to the media or allow unconsented filming, photographing or use of PHI to the media or other film crews, the Media FAQ also clarifies that the HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public like public waiting areas or areas where the public enters or exits the facility.
In addition, the Media FAQ states a health care provider or other HIPAA entity may:
Disclose limited PHI about the incapacitated patient to the media in accordance with the requirements of 45 C.F.R. 164.510(b)(1)(ii) when, in the hospital’s professional judgment, doing so is in the patient’s best interest; or
Disclose a patient’s location in the facility and condition in general terms that do not communicate specific medical information about the individual to any person, including the media, without obtaining a HIPAA authorization where the individual has not objected to his information being included in the facility directory, and the media representative or other person asks for the individual by name as specified in 45 C.F.R. 164.510(a).
The Media FAQ also discusses circumstances where a healthcare provider or other HIPAA entity may use the services of a contract film crew to produce training videos or public relations materials on the provider’s behalf if the provider ensures that the film crew acting as a business associate enters into a HIPAA compliant business associate agreement with the HIPAA entity which among other things ensures that the film crew will safeguard the PHI it obtains, only use or disclose the PHI for the purposes provided in the agreement, and return or destroy any PHI after the work for the health care provider has been completed as required by 45 C.F.R. 164.504(e)(2). The Media FAQ also states that as a business associate, the film crew must comply with the HIPAA Security Rule and a number of provisions in the Privacy Rule, including the Rule’s restrictions on the use and disclosure of PHI. In addition, the Media FAQ reminds HIPAA entities and business associates of the need to obtain prior authorizations from patients whose PHI is included in any materials before any of those materials are posted online, printed in brochures for the public, or otherwise publicly disseminated.
Finally, the Media FAQ states HIPAA entities can continue to inform the media of their treatment services and programs so that the media can better inform the public, provided that, in doing so, the covered entity does not share PHI with the media.
Memorial Herrman Health System Resolution Agreement
OCR’s next media coverage-related enforcement action involved the largest not-for-profit health system in Southeast Texas, Memorial Hermann Health System (MHHS). The 2017 MHHS Resolution Agreement and Corrective Action Plan resulted from HHHS issuing a press release with the name and other PHI about a patient arrested and charged with fraudulently obtaining health care by presenting an allegedly fraudulent identification card to MHHS office staff without first obtaining authorization from the patient. MHHS paid OCR a $2.4 million resolution payment as well as agreed to implement a detailed corrective action plan. See $2.4M HIPAA Settlement Warns Providers About Media Disclosures Of PHI.
Three Resolution Agreements Following Disclosures ForBoston Trauma Reality Series
OCR followed up the next year with a concurrent announcement of resolution agreements against three unrelated hospitals for allowing ABC film crews to film in patient treatment and other areas for the ABC medical documentary “Save My Life: Boston Trauma” series. Under three separate settlement agreements, OCR collected a total of $999,000 from Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital for putting publicity before patient privacy by allowing ABC News documentary film crews to film patients and access other patient information for a news documentary without obtaining prior patient authorization under three separate settlement agreements with the hospitals.
The circumstances that resulted in the three resolution agreements announced on September 20, 2018 were strikingly similar to those underlying the NY-Presby Resolution Agreement. Notably, the investigations that resulted in the three settlement agreements all arose out of each of the respective hospital’s permitting an ABC documentary film crew filming a medical documentary to access patient areas of their hospitals.
OCR’s investigation of MGH arose in response to an announcement about the impending filming on its website while OCR’s investigations of BMC and BWH started in response to a January 12, 2015 Boston Globe article that reported the Hospitals each separately had allowed ABC film crews filming a documentary to access PHI and film patients without obtaining patient authorization. See Boston Medical Center Resolution Agreement (BMC Settlement Agreement); Brigham and Women’s Hospital Resolution Agreement (BWH Settlement Agreement); and Massachusetts General Hospital Resolution Agreement (MGH Resolution Agreement)
The MGH Resolution Agreement reflects that OCR’s investigations began with an investigation of MGH on December 17, 2014 based on a news story posted to MGH’s website on October 3, 2014, indicating that ABC News would be filming a medical documentary program at MGH. The MGH Resolution Reports that the investigation revealed that before allowing the filming between October 2014 to January 2015, MGH reviewed and assessed patient privacy issues related to the filming and implemented various protections regarding patient privacy, including providing the ABC film crew with the same HIPAA privacy training received by MGH’s workforce.
Information contained in the respective settlement agreements reflect that OCR’s investigations of BMC and BWH began about a month later on January 25 and 26, 2015 respectively in response to the Boston Globe article. The BWH Settlement Agreement states that the BWH investigation revealed that like MGH, BWH reviewed and assessed patient privacy issues related to the filming and implemented various protections regarding patient privacy, including providing the ABC film crew with the same HIPAA privacy training received by BWH’s workforce before allowing the filming by the ABC film crew that occurred between October 2014 to January 2015. The BMC Settlement Agreement does not state that OCR found BMC engaged in similar deliberations or undertook the same or other efforts to safeguard patients and their PHI.
The BMC Settlement Agreement reports that the OCR concluded based on the BMC investigation showed that BMC impermissibly disclosed PHI of patients to ABC employees during the production and filming of a television program at BMC in violation of HIPAA. Meanwhile, while acknowledging the privacy deliberations and efforts undertaken at MGH and BWH, OCR also concluded that each of those organizations also violated HIPAA because in allowing the film crew access and to film patients and patient areas:
The timing at which they obtained patient authorizations showed MGH and BWH impermissibly disclosed the PHI of patients to ABC employees during the production and filming of a television program at BWH; and
Despite the various patient privacy protections in place, MGH and BWH failed to safeguard its patients’ PHI appropriately and reasonably from disclosure during a filming project conducted by ABC on its premises in 2014 and January 2015.
To resolve potential HIPAA violations, BMC has paid OCR $100,000, BWH has paid OCR $384,000, and MGH has paid OCR $515,000. In addition, each Hospital agreed to provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media in the 2016 Media FAQ.
Allergy Associates of Hartford, P.C.Resolution Agreement
Large institutional health care organizations are not the only HIPAA entities subjected to OCR investigation or enforcement for inappropriate sharing of PHI with the media. In its November 2018
On November 26, 2018, OCR announced that Allergy Associates, the three doctor health care practice Allergy Associates of Hartford, P.C. would pay OCR $125,000 and take corrective action under a Resolution Agreement and Corrective Action Plan resolving charges stemming from comments a physician made to a reporter on a patient dispute with the practice in 2015 violated HIPAA.
According to OCR, the disclosure of patient information that prompted OCR’s HIPAA charges resulted from a physician associated with the practice commenting to a local television station reporter for a story about a disabled patient’s complaint to the station that Allergy Associates turned her away from a scheduled appointment because of her use of a service animal. After the patient contacted the television statement to complain about being turned away by the practice when accompanied by her service animal, the station contacted the doctor for comment about the dispute between the Allergy Associates’ doctor and the patient. Although OCR reports its investigation revealed that Allergy Associates’ Privacy Officer instructed the doctor to either not respond to the media or respond with “no comment,” the doctor nevertheless accepted the television station reporter’s invitation to comment and discussed the dispute with the reporter.
OCR learned of the physician’s unauthorized comments to the reporter when it received a copy of an October 6, 2015, HHS civil rights complaint filed on behalf of the patient with the Department of Justice, Connecticut, U.S. Attorney’s Office (DOJ) by the Connecticut Office of Protection and Advocacy for Persons with Disabilities (OPA). In response to this complaint, OCR initiated a joint investigation with DOJ into the civil rights allegations against Allergy Associates. The complaint also alleged that Allergy Associates impermissibly disclosed the patient’s PHI in violation of HIPAA.
OCR found the physician’s discussion of the patient’s complaint without first obtaining a HIPAA-complaint authorization from the patient both violated HIPAA and demonstrated a reckless disregard for the patient’s HIPAA privacy rights. Additionally, Resolution Agreement also states that OCR’s investigation revealed that Allergy Associates did not take any disciplinary or other corrective action against the doctor after learning of his impermissible disclosure to the media.
To resolve the HIPAA charges, Allergy Associates agrees in the Resolution Agreement and Corrective Action Plan to pay $125,000 as well as to undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.
OCR COVID-19 HIPAA Guidance & Warnings About Media-Related HIPAA Responsibilities
With the COVID-19 pandemic fueling a torrent of media inquiries and coverage of patient, workforce and other aspects of the pandemic, OCR reminded health care providers and other HIPAA entities of HIPAA’s requirement of prior authorization before sharing PHI or allowing media to access patients or areas where media could observe patients or their PHI throughout the COVID-19 pandemic.
In its May 5, 2020 Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their Facilities (“5/5 Guidance”), OCR warned covered health care providers and other HIPAA entities that the Privacy Rule prohibits HIPAA entities from giving media or film crews access to PHI including access to facilities where patients’ PHI could be accessible without the patients’ prior authorization and cautioned testing facilities and other health care providers to prevent unauthorized use, access or disclosure of test results and other PHI except as specifically allowed in the applicable HIPAA Law. In this respect, the 5/5 Guidance quoted then OCR Director Roger Severino, as unequivocally stating “Hospitals and health care providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it.”
Consistent with this warning, the 5/5 Guidance described reasonable guidelines and safeguards that HIPAA entities should use to protect the privacy of patients whenever the media is granted access to facilities. Additionally, the 5/5 Guidance specifically warned HIPAA entities among other things that:
HIPAA does not permit covered health care providers to give the media, including film crews, access to any areas of their facilities where patients’ PHI will be accessible in any form (e.g., written, electronic, oral, or other visual or audio form), without first obtaining a written HIPAA authorization from each patient whose PHI would be accessible to the media;
Covered health care providers may not require a patient to sign a HIPAA authorization as a condition of receiving treatment; and
Masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient does not sufficiently deidentify patient information to allow unauthorized disclosure. A valid HIPAA authorization is still required before giving the media such access.
Despite these warnings, throughout the COVID-19 health care emergency videos and other media reports often incorporated videos or other images of patients and other descriptions or details about patients containing PHI reporters or media outlets obtained from accessing facilities, interviewing workforce members, or shared with the media or others allowed to access patients or facilities, often without a HIPAA-compliant patient authorization and often by workforce members without authorization or otherwise in violation of their employing HIPAA entity’s policies. See e.g. Ezekiel Elliott COVID-Test Disclosure Highlights Health Care Provider & Plan HIPAA & Other Privacy Risks From Medical Testing & Other Medical Information;, Health care workers express overwhelming fatigue as COVID-19 cases surge across the country; Pandemic takes its toll on health care workers; ABC News Special Coverage: Coronavirus Pandemic. Since the widespread media coverage makes clear SJMC was not the only health care provider or other HIPAA entity where the entity or members of its workforce allowed media access to facilities, shared or allowed the media or other third-parties to take patient photos, videos, or shared or allowed media access to other PHI, additional OCR enforcement actions or settlements arising from COVID-19 related media disclosures against other HIPAA-entities are likely.
To mitigate their own organizational exposure to potential HIPAA and other privacy-related exposures from known or as-of-yet unidentified past or future media-related HIPAA violations, all HIPAA entities should consult qualified legal counsel for advice and assistance within the scope of attorney-client privilege on investigating their organizations potential risks from any past media disclosures and opportunities for mitigating any known or uncovered HIPAA exposures by acting proactively as well as for guidance on best practices to prevent or mitigate liability from future dealings with the media.
To promote their compliance and the defensibility of their practices and efforts when compliance issues arise, HIPAA entities need conduct a well-documented assessment of their current and past compliance, policies, practices and workforce training on allowing media or others to enter, film, photograph or record within their facilities or otherwise disclosing or allowing media access to their facilities as well as their policies about when parties not involved in care of a particular patient can film, photograph, or otherwise record, observe or access areas where patients or patient PHI is or might be present without prior written consent of the patient.
Going forward, all HIPAA entities should ensure their policies clearly prohibit their entities, their business associates and their workforce from allowing film or media to film, photograph or even access areas where patients or their PHI are accessible or otherwise disclosing PHI to members of the media without first obtaining a HIPAA-compliant authorization from each patient whose presence or PHI could be observed, recorded or otherwise accessed. Adopting the policy alone is insufficient, however, HIPAA entities also need to implement and enforce appropriate procedures and training to promote compliance with those policies and processes to monitor and respond to any violations of HIPAA’s requirements.
When considering the adequacy of their current policies, practices and training concerning filming, photography and other access and disclosure to patients, patient treatment areas and other PHI, HIPAA entities should keep in mind that the obligation to prevent unauthorized filming, photography or any other PHI access or disclosure PHI extends to “any third party not involved in patient care,” not merely those to media or film crews. Consequently, HIPAA entities should address potential risks from filming, photographs or other access and disclosure to patients, patient treatment or recordkeeping areas, or PHI by all parties within or with access to their facilities or records including but not limited to staff, business associates, contractors, other patients as well as media or other visitors.
Recognizing that the NY-Presbyterian corrective action plan included a requirement that NY-Presbyterian require “all photography, video recording and audio recording conducted on NY-Presbyterian premises” be reviewed, preapproved and actively monitored for compliance with the Privacy Rule and NY-Presbyterian’s policies, HIPAA entities also should take steps to monitor and properly restrict and protect any filming, photography or other observations, records or other PHI by individuals within their workforce, as well as to regulate the access and activities of unrelated third parties. In this respect, HIPAA entities are cautioned about the need to prohibit and enforce suitable prohibitions against members of their workforce and others using their own personal devices or other equipment to film, photograph, and copy or disseminate photographs, film, recordings or other records or data that qualifies as or contains PHI without authorization in accordance with established protocols.
HIPAA entities also should take steps to ensure their policies and training make clear that these prohibitions apply whether or not the workforce member believes that identity of the patient or patient information is concealed or otherwise not discoverable.
Moreover, even with respect to photographs, films or other recordings or records legitimately created for treatment, payment or operations purposes, HIPAA entities generally need to take steps to restrict use, access and disclosure of the photographs or other recordings to individuals legitimately involved in patient treatment, operations, payment or other activities allowed by the Privacy Rule and to safeguard those materials against use, access or disclosure to others within or outside their workforce except as allowed by HIPAA and other applicable law. .
Since HIPAA entities also are likely to be subject to other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by the Privacy Rule, most HIPAA entities also will want to consider and take steps to identify and address these other potential legal or ethical responsibilities such as medical confidentiality duties applicable to physicians and other health care providers under medical ethics, professional licensure or other similar rules, contractual responsibilities, as well as common law privacy or other related exposures when conducting this review. Additionally, most HIPAA entities also will want to take into account and manage their potential exposure to privacy, theft of likeness or other intellectual property, or other statutory or common law tort or contractual claims that might attached to the unauthorized filming, photographing, or surveillance of individuals under federal or state common or statutory laws.
Since this analysis and review in most cases will result in the uncovering or discussion of potentially legally or politically sensitive information, HIPAA entities should consider consulting with or engaging experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.
Finally, HIPAA entities should keep in mind that HIPAA compliance and risk management is an ongoing process requiring constant awareness and diligence. Consequently, HIPAA entities should both monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.
For More Information
We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.
A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and VIce-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.
Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.
For more information about Ms. Stamer or her labor and employment, employee benefit, health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
Group health plans and insurers must ensure their programs don’t violate the Mental Health Parity and Addiction Equity Act (“MHPAEA”) by improperly limiting or excluding coverage for the treatment of autism or mental therapy developmental disorders.
MHPAEA requires group health plans and health insurance issuers that offer mental health benefits to ensure that mental health benefit financial requirements and nonquantitative treatment limitations are generally no more restrictive than those applied to medical/surgical benefits. The Department of Labor Employee Benefit Security Administration (“EBSA”) has identified MHPAEA autism and other mental health and substance abuse coverage enforcement as a key priority in its current fiscal year enforcement plan. Violation of its prohibitions is costly. Aside from any costs of providing wrongfully denied coverage and defense costs for resulting investigations and enforcement, violations generally also trigger that the employer is accountable for self-identifying, reporting and paying excise tax penalties imposed for MHPAEA violations under Internal Revenue Code Section 6039D to avoid even more penalties unless an exception applies.
Although many diagnosticians and courts consider autism a neurological rather than psychological disorder, EBSA often interprets and enforces MHPAEA as applicable to Applied Behavior (ABA) therapy and other treatment for autism, For instance, an EBSA Benefits Advisor stepped in to assist a Seattle family encountering difficulty communicating with their health plan regarding claims for their child the plan reprocessed the claims, resulting in an additional $20,000 of coverage. Another parent contacted an EBSA Benefits Advisor in the Dallas Regional Office for assistance with claims that had not been paid. After the Advisor contacted the plan to resolve the issue, this family received approximately $24,000 they were owed.
EBSA also has taken more formal enforcement actions in other instances. For example, EBSA’s Los Angeles Regional Office recently investigated a large service provider that excluded coverage for ABA therapy in hundreds of self-insured plans. The EBSA investigation resulted in 3 plans removing their exclusion for ABA therapy and offering coverage for that benefit moving forward, affecting more than 18,000 participants and their beneficiaries.
Meanwhile, an investigation by EBSA’s Chicago and Dallas Regional Offices into an ABA therapy exclusion resulted in a large claims administrator adding ABA therapy as a default coverage option for all of its self-insured plans. This correction resulted in the elimination of the exclusion of ABA therapy for autism for nearly one million participants.
To protect access to autism benefits, EBSA also works closely with other federal agencies, such as the U.S. Department of Health and Human Services. For example, EBSA assisted HHS’ Centers for Medicare and Medicaid Services in investigating an improper appeals process following the denial of coverage for autism treatment by a plan for a large school district. In the end, the plan reimbursed a total of $2,464 in unpaid claims to the participant.
The actions relating to ABM therapy and other autism-related treatment are part of a broader, high-priority EBSA and Department of Health and Human Services MHPAEA compliance and enforcement initiative which prioritizes enforcement of compliance by health plans and health insurers with MHPAEA’s mandates that health plans and insurance policies of covered health plans and insurers comply with its requirement of parity in the coverage provided for mental health and substance abuse care as compared to other care. To fulfill these requirements, health plans and insurers covered by MHPAEA must be prepared to produce documentation of their audit and analysis to demonstrate that any quantitative or qualitative requirements applicable to mental health or substance abuse coverage in form or operation are not greater than those applied to other comparable benefits. Meeting this burden generally requires significant documented analysis regarding the plan design and administration taking into complicated HPAEA regulations. Additionally, health plans and insurers also should ensure that their administrative practices and notifications comply with additional MHPAEA requirements applicable to claim determinations involving adverse benefit determinations for mental health or substance abuse treatment, as well as otherwise applicable Patient Protection and Affordable Care Act (“ACA”), Employee Retirement Income Security Act (“ERISA”) and for insured plans or policies, state insurance rules.
In the face of these and other enforcement actions, group health plans, their sponsors, their insurers, fiduciaries, administrators and employer and other MHPAEA-covered health benefit program sponsors, fiduciaries and administrators are urged to seek review and advice from legal counsel experienced with MHPAEA and other rules impacting autism diagnosis and treatment coverage about the adequacy and defensibility of their health program as it relates to coverage for autism and other developmental disabilities.
Additionally, employers also are reminded that autism and other developmental and neurological disorders also generally qualify as disabilities qualify for protection against discrimination and require accommodation under the Americans With Disabilities Act (“ADA”).
Along with the EBSA enforcement, private participants and beneficiaries of private employer-sponsored health plans also can bring lawsuits to recover benefits and other relief for violations of MHPAEA. Along with the actual damages, attorneys’ fees and other costs of enforcement, a successful MHPAEA enforcement also typically will reveal the sponsoring employer or union’s failure to make the required self-disclosure and excise tax payments mandated for violations under Internal Revenue Code Section 6039D, triggering added penalties beyond the initial penalties triggered by the uncorrected violation. Furthermore, delayed discovery of these violations also makes correction particularly costly for self-insured plans and their sponsors as deadlines for submitting expenses to qualify for stop loss reimbursement often will have passed by the time the liability comes to light. Accordingly, employer and other health plan sponsors, their fiduciaries and adminstrators generally will want to audit and monitor their health plan’s compliance with the MHPAEA throught the calendar year and as plan year or stop loss filing deadlines approach to mitigate these exposures.
More Information
We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively domestically and internationally with business, government and community leaders to prepare for and deal with pandemic and other health and safety, financial, workforce and other organizational crisis, change and workforce, employee benefit, health care and other operations planning, preparedness and response for more than 30 years. As a part of this work, she regularly advises businesses and government leaders on an on-demand and ongoing basis about the preparation of workforce, health care and other business and government policies and practices to deal with management in a wide range of contexts ranging from day-to-day operations, through times of change and in response to operational, health care, natural disaster, economic and other crisis and change.
Author of a multitude of other highly regarded publications and presentations on MHPAEA and other health and other benefits, workforce, compliance, workers’ compensation and occupational disease, business disaster and distress and many other topics, Ms. Stamer has worked with health plans, employers, insurers, government leaders and others on these and other health care, health and other benefits, workforce and performance and other operational and tactical concerns throughout her adult life.
A former lead advisor to the Government of Bolivia on its pension privatization project, Ms. Stamer also has worked domestically and internationally as an advisor to business, community and government leaders on health, severance, disability, pension and other workforce, health care and other reform, as well as regularly advises and defends organizations about the design, administration and defense of their organization’s workforce, employee benefit and compensation, safety, discipline and other management practices and actions.
Board Certified in Labor and Employment Law By the Texas Board of Legal Specialization, Scribe for the ABA JCEB Annual Agency Meeting with OCR, Chair-Elect of the ABA TIPS Medicine and Law Committee, Chair of the ABA International Section Life Sciences Committee, and Past Group Chair and current Welfare Plan Committee Chair of the ABA RPTE Employee Benefits & Other Compensation Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
January 30 Deadline To Comment On HHS’ Proposed Changes To Substance Use Confidentiality Rules
Employers, their health plans and issuers, substance abuse, mental health and other healthcare providers, health care professional associations, consumer advocates, community organizations, state and local government entities, patients and caregivers and others concerned with mental health and substance abuse treatment and management should review and comment by January 30, 2023 on proposed changes to rules on unauthorized disclosures the Confidentiality of Substance Use Disorder (SUD) Patient Records under 42 CFR part 2 (“Part 2”) proposed by the U.S. Health and Human Services Department Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) in a Notice of Proposed Rulemaking (NPRM) made public November 28, 2022 here and scheduled for publication in the December 2, 2022 Federal Register. In addition to obvious implications for health care providers and health plans, the proposed changes are likely to impact both the confidentiality requirements for employer-sponsored and other health benefit programs, as well as the ability and responsibilities of businesses seeking to access or use information about prior substance use and abuse in their workplaces or for other legitimate purposes.
Proposed Changes To Substance Abuse Confidentiality Rules
On November 28, 2022, OCR and SAMHSA issued the NPRM to revise the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR part 2 (“Part 2”), which seek to address concerns that concerns about discrimination or prosecution might deter people from entering treatment for SUD by protecting “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”(“SUD Records”).
Currently, the Part 2 protections of patient privacy and records concerning treatment related to substance use challenges from unauthorized disclosures differ from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules (“HIPAA”) rules. These distinctions reportedly create barriers to information sharing by patients and among health care providers and create dual obligations and compliance challenges for regulated entities. To address this concern, Congress mandated in Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) that HHS to bring Part 2 into greater alignment with certain aspects of the HIPAA Privacy rule.
Amid these challenges, the NPRM proposes to implement this CARES Act mandate through the following changes to Part 2 that HHS says will help safeguard the health and outcomes of individuals with SUD while creating greater flexibility for information sharing envisioned by Congress in its passage of Section 3221 of the CARES Act:
Permit Part 2 programs to use and disclose Part 2 records based on a single prior consent signed by the patient for all future uses and disclosures for treatment, payment, and health care operations;
Permit the redisclosure of Part 2 records as permitted by the HIPAA Privacy Rule by recipients that are Part 2 programs, HIPAA covered entities, and business associates, with certain exceptions;
Expand prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, or legislative proceedings conducted by a federal, state, or local authority against a patient, absent a court order or the consent of the patient;
Create two patient rights under Part 2 that align with individual rights under the HIPAA Privacy Rule:
Right to an accounting of disclosures; and
Right to request restrictions on disclosures for treatment, payment, and health care operations;
Require disclosures to the Secretary for enforcement;
Apply HIPAA and HITECH Act civil and criminal penalties to Part 2 violations;
Require Part 2 programs to establish a process to receive complaints of Part 2 violations;
Prohibit Part 2 programs from taking adverse action against patients who file complaints;
Prohibit Part 2 programs from requiring patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services;
Apply the standards in the HITECH Act and the HIPAA Breach Notification Rule to breaches of Part 2 records by Part 2 programs;
Modify the Part 2 confidentiality notice requirements (“Patient Notice”) to align with the HIPAA Notice of Privacy Practices;
Modify the HIPAA Notice of Privacy Practices requirements for covered entities who receive or maintain Part 2 records to include a provision limiting redisclosure of Part 2 records for legal proceedings according to the Part 2 standards; and
Permit investigative agencies to apply for a court order to use or disclose Part 2 records after they unknowingly receive Part 2 records while investigating or prosecuting a Part 2 program, when certain preconditions are met.
While the Department is undertaking this rulemaking, the current Part 2 regulations remain in effect. However, once the comment period ends, the Biden Administration-led HHS is expected to finalize the proposed changes quickly. Consequently, in addition to sharing any concerns or other input about the proposed changes during the comment period, health care providers, health plans, health care clearinghouses, employers, community agencies, state and local governments, patients and other caregivers and other concerned parties also should begin planning and preparing to respond to the anticipated changes in the requirements.
Implications For Businesses & Their Health Plans
Businesses should carefully assess the potential implications of the proposed changes on their worker and vendor credentialing and workplace safety practices as well as their health and other benefit programs. Assuming the changes are adopted in their current form, businesses sponsoring health benefit programs generally, and health care organizations and providers specifically should prepare to modify their HIPAA required notices of privacy practices and associated practices to comply with the proposed updates.
Businesses required to comply with Department of Transportation Drug Free Workplace or other alcohol and substance abuse requirements also should consider the potential implications of the proposed changes on their ability to secure relevant substance abuse treatment and related history. In assessing these implications, businesses also should be cognizant of a new proactivity on behalf of certain uses of drugs by workers in the workplace under the Americans With Disabilities Act (“ADA”). For instance, the EEOC recently has sued Eagle Marine Services Electrical & Refrigeration, LLC for allegedly violating the ADA by refusing to hire or accommodate a worker because he used medication prescribed by his doctor to treat attention deficit hyperactivity disorder (“ADHD”) without making any individual assessment of the worker’s medication use or whether it would affect his ability to safely perform the marine electrician position, and instead relied on general stereotypes about disability and medication use to justify its decision not to hire him. Businesses seeking to investigate or deny employment opportunities to workers based on the worker’s past or current medication use will want to use care to ensure that their practices are tailored to defend against similar challenges.
Health plan sponsors and insurers also should assure their mental health and substance abuse treatment coverage documents and practices are defensible under the latest mental health and substance abuse parity mandates of the Mental Health Parity and Addiction Equity Act (MHPAEA) and coverage requirements of the Patient Protection and Affordable Care Act (“ACA”). Along with a host of statutory changes since the original parity mandates took effect, implementing regulations and guidance about non-qualitative limitations and exclusions and heightened agency enforcement are ramping up enforcement and liability risks. In addition to exposing the health plan administrators and other fiduciaries to potential claims denial or fiduciary responsibility claims brought by participants or beneficiaries, the Department of Labor or both, administrative penalties by the EBSA, or both, the MHPAEA mental health and substance abuse parity rules are among 40 federal mandates that when violated can trigger the automatic $100 per violation per day employer excise tax penalty under Internal Revenue Code Section 6039D. As a consequence, violations of the MHPAEA are particularly risky and potentially expensive for private employers, their health plans and the plan administrators and fiduciaries that administer it.
For Help With Comments, Investigations Or Other Needs
If your organization would like to learn more about the concerns discussed in this update or seeks assistance auditing, updating, administering or defending its human resources, compensation, benefits, corporate ethics and compliance practices, or other performance related concerns, please contact management attorney and consultant Cynthia Marcotte Stamer.
An attorney Board Certified in Labor & Employment Law by Texas Board of Legal Specialization, Ms. Stamer is recognized for work helping organizations management people, operations and risk as a Fellow in the American College of Employee Benefit Counsel, a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Labor and Employment Law and Health Care Law; a “Best Lawyers” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law.”
For 35 years, Ms. Stamer’s work has focused on advising and assisting businesses and business leaders with these and other employment and other staffing, employee benefit, compensation, risk, performance and compliance management and other operational solutions and concerns. Her experience includes helping management both manage performance and manage legal risk and compliance. While helping businesses define and manage the conduct and performance of their employees, contractors and vendors, she also assists employers and others about compliance with federal and state equal employment opportunity, compensation, health and other employee benefit, workplace safety, leave, and other labor and employment laws, advises and defends businesses against labor and employment, employee benefit, compensation, fraud and other regulatory compliance and other related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor, Department of Justice, SEC, Federal Trade Commission, HUD, HHS, DOD, Departments of Insurance, and other federal and state regulators. Ms. Stamer also speaks, coaches management and publishes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see hereor contact Ms. Stamer directly.
Other Helpful Resources & Information
If you found this article of interest, you also may be interested in reviewing other Breaking News, articles and other resources available including:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here. If you do not wish to receive these updates in the future, unsubscribe by updating your profile here.
Employer and other group health plan sponsors, fiduciaries, administrators and insurers should prepare their plans and their administrators to respond appropriately to today’s (3/29/2022) U.S. Food and Drug Administration (“FDA”)’s authorization of a second booster dose of either the Pfizer-BioNTech or the Moderna COVID-19 vaccines for certain populations will affect health plan COVID-19 coverage, workplace vaccination mandates or both.
FDA Emergency Use Approval of Second COVID-19 Booster
On March 29, 2022, the FDA amended its e emergency use authorization (“EAU”) for COVID-19 vaccination to add authorization for second COVID-19 booster shots under the following circumstances:
A second booster dose of the Pfizer-BioNTech COVID-19 Vaccine or Moderna COVID-19 Vaccine may be administered to individuals 50 years of age and older at least 4 months after receipt of a first booster dose of any authorized or approved COVID-19 vaccine.
A second booster dose of the Pfizer-BioNTech COVID-19 Vaccine may be administered to individuals 12 years of age and older with certain kinds of immunocompromise at least 4 months after receipt of a first booster dose of any authorized or approved COVID-19 vaccine. These are people who have undergone solid organ transplantation, or who are living with conditions that are considered to have an equivalent level of immunocompromise.
A second booster dose of the Moderna COVID-19 Vaccine may be administered at least 4 months after the first booster dose of any authorized or approved COVID-19 vaccine to individuals 18 years of age and older with the same certain kinds of immunocompromise.
Second Booster Authorization Health Plan Implications
Group health plans, their sponsors, fiduciaries, administrators and insurers need to evaluate their existing group health plan language to determine if and when their group health plan will cover second COVID-19 booster doses.
While Federal law currently mandates that all group health plans and group and individual health insurance covered by the Patient Protection & Affordable Care Act (“ACA”) cover FDA-approved initial vaccination and first booster vaccinations administered in accordance with recommendations of the Advisory Committee on Immunization Practices (“ACIP”), the ACIP as of now has not amended its COVID-19 vaccination recommendations to include the FDA second boosters approved by the FDA.
Health plans’ current obligation to cover without cost sharing initial COVID-19 vaccinations and first boosters in accordance with FDA authorizations to covered individuals arises under Section 3203 of the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”). Since January 5, 2021, Section 3203 of the CARES Act has mandated that all group health plans and health insurance issuers subject to the Patient Protection and Affordable Care Act (“ACA”) cover without cost sharing any COVID-19 vaccine with an FDA approved EUA Biologics License Application (“BLA”) consistent with the recommendations of the ACIP. While the CARES Act mandates coverage for ACIP-recommended COVID-19 vaccinations, including vaccines and boosters securing FDA approval subsequent to the effective date of the mandate. As enacted, the CARES Act mandate grows to include COVID-19 vaccinations and booster shots securing FDA approval subsequent to its enactment when recommended by the ACIP. Since the CARES Act only mandates coverage of ACIP recommended vaccines and as of March 29, 2022, the second booster is nt ACIP recommended, the Cares Act does not appear to mandate group health plans and health plan insurers cover the second booster shot approved by the FDA as of March 29, 2022. If in the future the ACIP recommends the booster, coverage by ACA covered group health plans and individual and group health insurance would become mandatory.
As of March 29, 2022, coverage of the second COVID-19 booster with or without cost-sharing also does not appear to be required to comply with the preventive care mandates of §2713 of the Public Health Service Act [PHSA]) enacted as part of the ACA.
The ACA preventive care and other mandates generally apply to individual health insurance coverage, fully insured small- and large-group coverage, and self-insured group plans that are not grandfathered or otherwise exempt.
Where applicable, Section 2713’s preventive care mandate generally requires ACA covered plans to cover without cost sharing specified preventive health services recommended with an A or B rating by the United States Preventive Services Task Force (USPSTF) and any immunization with a recommendation by ACIP adopted by the Centers for Disease Control and Prevention (CDC), for routine use for a given individual. As of now neither agency has adopted a recommendation of the second COVID-19 vaccine booster. Since Section 2713 specifies that its coverage mandates cannot trigger an obligation for covered group health plans to cover a new or revised recommendation any sooner than one year after a new or revised recommendation ispublished, any future adoption by the USPSTF, but not the ACIP, of a recommendation of the second booster shot will not trigger a federal coverage mandate. the ACA preventive care mandate. In contrast, ACA covered health plans would become immediately obligated to cover the second COVID booster if and when the ACIP in the future adds it to its recommendations, as the CARES Act mandate effectively renders moot the one year waiting period applicable for the ACA mandate.
As ACA group health plans and health insurance will become immediately required by the CARES Act to cover the second booster if and when the ACIP amends its COVID recommendations to recommend the second booster, group health plans, their sponsors, fiduciaries, administrators and insurers should monitor the ACIP recommendations for possible changes.
Along with this diligent oversight, most plan sponsors, fiduciaries and administrators should review their existing health plan language to determine if their existing plan language provides the currently mandated coverage as well as if the current language expressly provides or is sufficiently ambiguous to open the door for construction of the plan as authorizing coverage beyond existing applicable mandates. The COVID-19 related operational disruptions and exigencies present when the existing COVID-19 coverage mandates took effect creates a substantial likelihood that many plans contain less than optimal language regarding the COVID-19 vaccine and other mandates. Employer and other health plan sponsors, insurers, fiduciaries and administrators should assess whether tightening up their health plan language for the vaccination and other mandates is advisable to minimize compliance exposure risks, plan administration errors or unnecessary overpayments. Regardless of whether any change in plan language is necessary or advisable, group health plan fiduciaries, sponsors, administrators and insurers should prepare plan administration team members to respond to likely questions from plan members about COVID-19 vaccine and other COVID-related coverage. Health plan and human resources staff should be trained both to provide the appropriate substantive responses and to follow appropriate processes and procedures to contain the spread of fiduciary liability and to minimize the retaliation and other risks.
More Information
We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
A Fellow in the American College of Employee Benefits Counsel repeatedly recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” by LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law and among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other workforce, employee benefits, health care and insurance legal representation, public policy leadership and advocacy, coaching, scholarship and training.
Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, Vice Chair of the ABA International Section Life Sciences Committee, current Chair-Elect of the ABA Tort & Insurance Section (TIPS) Medicine and Law Committee, former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer’s has worked extensively health and other employee benefit plan, managed care and other health and wellness, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, workforce and vendor performance management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.
This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.
Ms. Stamer also shares her leadership through her extensive involvement in many professional, community and civic organizations including several current leadership roles in various ABA Committees, as a former Joint Committee on Employee Benefits Council Representative, former Society for Human Resources Management Region IV Board Chair and National Consultant’s Board Member; former Editorial Advisory Board Member and author for HR.com, Insurance ThoughtLeaders, BNA CD-Rolm, and Employee Benefits News; former Alliance for Healthcare Excellence Board President, Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, former Board Member and Compliance Chair of the National Kidney Foundation of North Texas. Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. These include hundreds of highly regarded articles and workshops on health and other benefits, workforce, health care and insurance concerns.
For more information about these requirements, Ms. Stamer or her experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.
IMPORTANT NOTICE ABOUT THIS COMMUNICATION
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
The U.S. Department of Justice along with the Minnesota and New York Attorneys General (collectively “Justice Department”) have filed a civil antitrust lawsuit to stop UnitedHealth Group Incorporated (“United”) from acquiring Change Healthcare Inc. (“Change”) on February 24, 2022 in an announced $13 billion transaction that the Justice Department claims will harm self-insured employer health plan innovation and competition in the commercial health insurance market. The suit is the latest in a series of Justice Department suits that seek to prevent continued consolidation of the health industry giants following decades of industry consolidation.
United, headquartered in Minnetonka, Minnesota, is an integrated health care enterprise that includes, among other subsidiaries, UnitedHealthcare, the largest health insurer in the United States; Optum Health, a large network of health care providers located throughout the country; OptumRx, a large pharmacy benefit manager; and OptumInsight, a health care technology business. United’s revenues were $288 billion in 2021.
Change Healthcare Inc. headquartered in Nashville, Tennessee, is a leading independent health care technology company providing health care analytics, software, services and data to health care providers, health insurers and other software and services firms in the health care industry. Today, Change markets itself as a partner to a wide variety of other health care ecosystem organizations including United’s major health insurance competitors as providing vital software and services need for innovation and problem solving. These services include electronic data interchange (EDI) clearinghouse services, which transmit claims and payment information between insurers and providers, and first-pass claims editing solutions, which review claims under the health insurer’s policies and relevant treatment protocols. Change’s revenues were $3.4 billion in 2021.
In the civil antitrust complaint filed in the U.S. District Court for the District of Columbia on February 24, 2022, the Justice Department charges United’s acquisition of this neutral player would allow United to tilt the playing field in its favor, harming current competition and allowing United to control and distort the course of innovation in this industry for the foreseeable future.
Among other things, the Justice Department alleges allowing United to eliminate a significant independent and innovative competitor firm by acquiring Change will undermine competition in the commercial health insurance market, stifle innovation in the employer health insurance markets and suppress competition in the market for a vital technology used by health insurers to process health insurance claims and reduce health care costs by giving United control of a critical data highway through which about half of all Americans’ health insurance claims pass each year.
As alleged in the complaint, the proposed transaction would give United, a massive company that owns the largest health insurer in the United States, access to a vast amount of its rival health insurers’ competitively sensitive information. Post-acquisition, United would be able to use its rivals’ information to gain an unfair advantage and harm competition in health insurance markets. The Justice Department also claims the proposed transaction would eliminate United’s only major rival for first-pass claims editing technology — a critical product used to efficiently process health insurance claims and save health insurers billions of dollars each year — and give United a monopoly share in the market.
A Justice Department press release about the lawsuit quotes Principal Deputy Assistant Attorney General Doha Mekki of the Justice Department’s Antitrust Division as saying, “Unless the deal is blocked, United stands to see and potentially use its health insurance rivals’ competitively sensitive information for its own business purposes and control these competitors’ access to innovations in vital health care technology. The department’s lawsuit makes clear that we will not hesitate to challenge transactions that harm competition by placing so much control of data and innovation in the hands of a single firm.”
The suit is the latest in a series of civil antitrust lawsuits challenging proposed mergers or acquisitions of between health insurance industry giants as anticompetitive in recent years. Stay tuned for more details.
More Information
We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively on pandemic, business and other crisis planning, preparedness and response for more than 30 years.
Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.
This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.
The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. These include hundreds of highly regarded articles and workshops on health and other benefits, workforce, health care and insurance concerns.
For more information about these requirements, Ms. Stamer or her experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.
IMPORTANT NOTICE ABOUT THIS COMMUNICATION
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
The Centers for Disease Control (CDC) One-Stop Shop provides quick access to communication resources. Topic-specific toolkits make it easy to access, leverage, and share CDC resources. These new toolkits contain videos, social media posts, PSAs, print resources, checklists, FAQs, and web resources for the following populations
We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Law and Labor and Employment Law and Health Care; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.
Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services, construction, manufacturing, staffing and workforce and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international employer and other management, employee benefit and other clients to assess, manage and defend joint employer and other worker classifications and practices under the FLSA and other federal and state laws including both advising and and assisting employers to minimize joint employer and other FLSA liability and defending a multitude of employers against joint employer and other FLSA and other worker classification liability. She also has been heavily involved in advocating for the Trump Administration’s restoration of more historical principles for determining and enforcing joint employer liability over the past several years.
Author of hundreds of highly regarded books, articles and other publications, Ms. Stamer also is widely recognized for her scholarship, coaching, legislative and regulatory advocacy, leadership and mentorship on wage and hour, worker classification and a diverse range of other labor and employment, employee benefits, health and safety, education, performance management, privacy and data security, leadership and governance, and other management concerns within the American Bar Association (ABA), the International Information Security Association, the Southwest Benefits Association, and a variety of other international, national and local professional, business and civic organizations including highly regarded works on worker reclassification and joint employment liability under the FLSA and other laws published by the Bureau of National Affairs and others. Examples of these involvements include her service as the ABA Intellectual Property Law Section Law Practice Management Committee; the ABA International Section Life Sciences and Health Committee Vice Chair-Policy; a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former JCEB Council Representative and Marketing Chair; Past Chair of the ABA RPTE Employee Benefits and Other Compensation Group and Vice Chair of its Law Practice Management Committee; Past Chair of the ABA Managed Care & Insurance Interest Group; former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Southwest Benefits Association Board member; past Texas Association of Business State Board Member, BACPAC Committee Meeting, Regional and Dallas Chapter Chair; past Dallas Bar Association Employee Benefits Committee Executive Committee; former SHRM Region IV Chair and National Consultants Forum Board Member; for WEB Network of Benefit Professionals National Board Member and Dallas Chapter Chair; former Dallas World Affairs Council Board Member; founding Board Member, past President and Patient Empowerment and Health Care Heroes founder for the Alliance for Health Care Excellence; former Gulf States TEGE Council Exempt Organizations Coordinator and Board member; past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
The just announced March 31, 2019 update of the the Annual Vietnam Era Veterans’ Readjustment Assistance Act (VEVRAA) hiring benchmark for federal government contractors and subcontractors changes to 5.9% provides an important reminder to U.S. employers to review and tighten the compliance of their recruiting, hiring, employment, compensation and benefits, and other policies and practices to withstand growing scrutiny and enforcement risks under federal laws.
Government contractors, subcontractors and other U.S businesses should reconfirm their compliance with the new benchmark and other VEVRAA requirements for dealing with veterans in light of the Trump Administration’s continuing emphasis on enforcing it and other federal laws protecting active duty military and veteran servicemen and women. As part of these enforcement efforts the Office of Federal Contract Compliance Programs (“OFCCP”) has announced it plans to incorporate VEVRAA Focused Reviews into the Corporate Scheduling Announcement List next fiscal year.
The Department of Labor announced the new 5.9% 2019 benchmark today (March 27, 2019). At the same time, it also updated national and state information in the VEVRAA Benchmark Database for federal contractors and subcontractors who calculate an individualized hiring benchmark using the five-factor method.
VEVRRA & USERRA Protections For Active Duty Military & Veterans
Affirmative action hiring by government contractors and subcontractors is one of the VEVRRA requirements for government contractors and subcontractors to provide assistance to and protect returning veterans from employment discrimination.
One of two key federal laws specifically prohibiting discrimination against returning veterans, VEVRRA applies only to government contractors and subcontractors. The other law, the Uniformed Services Employment and Reemployment Rights Act (USERRA), applies to virtually all U.S. employers.
Among other things, VEVRAA and its implementing regulations impose affirmative action requirements that require federal contractors and subcontractors to monitor and improve efforts to recruit and hire “protected veterans.” Protected veterans generally include veterans who are:
Disabled veterans: Those who are “entitled to compensation…under laws administered by the Secretary of Veterans Affairs” or “those who were released from active duty because of a service-connected disability;
Recently separated veterans;
Active duty wartime or campaign veterans;
Campaign badge veterans; and
Armed Forces service medal veterans.
Among other things, VEVRAA and its implementing Final Regulations generally require government contractors and subcontractors:
To set a hiring benchmark by either: (1) adopting a benchmark based on the national percentage of veterans currently in the workforce (5.9% effective March 31, 2019); or (2) creating an individualized benchmark based on their own interpretation of the best available data nationally and within their state/region.
Invite voluntary self-identification of applicants and employees as protected veterans. Pre-offer invitation to self-identify will involve asking whether the applicant believes that s/he is a protected veteran under VEVRAA without asking about the particular category of protection. Post-offer self-identification will request information regarding the specific category of protected veteran status. For Sample self-identification forms for both pre- and post-offer forms, see Appendix B Part 60-300 of the Final Regulation.
Comply with OFCCP reviews including providing on-site and off-site access to documents needed for compliance and focused reviews.
Track and report the effectiveness of veteran recruiting and hiring efforts by collecting specified data, which also must be retained for three years.
Provide access to job listings that identify the employer as a federal contractor in a format that can be used by veterans’ Employment Service Delivery Systems (ESDS).
Use mandated language in federal contracts (including subcontracts) to communicate the contractor’s obligations to employ and advance protected veterans.
While VEVRRA only applies to government contractors and subcontractors, USERRA generally applies to all employers.
USERRA generally provides that an individual who leaves a job to serve in the uniformed services is generally entitled to continue medical coverage for up to 26 months while absent for a qualifying military leave, reemployment by the previous employer upon timely return from military leave and, upon reemployment, to restoration of service, promotion, benefits and other rights of employment.
As part of these reemployment rights, qualifying service members timely returning from military leave are entitled to receive credit for benefits, including employee pension plan benefits, that would have accrued but for the employee’s absence due to the military service. USERRA’s pension-related provisions generally require that pension plans treat a service member who is called to active duty as if the service member had no break in service for purpose of the administration of pension benefits when the service member timely returns to employment at the end of a military leave. In addition to these pension rights, USERRA also requires employers honor other rights to employment, promotion and other benefits and rights of employment.
Beyond these VEVRRA and USERRA employment rights, service members taking or returning from active duty often enjoy various other employment and other protections under various other federal and state laws, many of which have been expanded in recent years.
As many veterans suffer return with physical, cognitive or emotional injuries and conditions, veteran applicants and employees may qualify for the disability discrimination, accommodation, privacy and other protections of the Americans with Disabilities Act (ADA) and, in the case of government contractors and subcontractors, the Section 503 of the Rehabilitation Act.
Under requirements of the Soldiers’ and Sailors’ Civil Relief Act (SSCRA), creditors including a pension plan, employer loan program or credit union generally are required to drop interest charges down to 6 percent on debt owed by those called to active duty for the period of such military service. Further, under the Employee Retirement Income Security Act (ERISA), the loan will not fail to be a qualified loan under ERISA solely because the interest rate is capped by SSCRA. These and other provisions of federal law often require pension and profit-sharing plans that allow plan loans to change loan terms and tailor other special treatment of participants who are on military leave.
In addition to the specific protection given to a service member, employers also need to be ready to honor certain family leave protections afforded to qualifying family members or caregivers of service members added to the Family & Medical Leave Act (FMLA) in recent years. As amended to include these military leave related protections, the FMLA may require certain employees who are the spouse, son, daughter, or parent of a military member to take to 12 weeks of FMLA leave during any 12-month period to address the most common issues that arise when a military member is deployed to a foreign country, such as attending military sponsored functions, making appropriate financial and legal arrangements, and arranging for alternative childcare. This provision applies to the families of members of both the active duty and reserve components of the Armed Forces. Meanwhile, the “Military Caregiver Leave” provisions added to the FMLA may entitle certain employees who are the spouse, son, daughter, parent or next of kin of a covered service member to up to 26 weeks of FMLA leave during a single 12-month period to care for the service member who is undergoing medical treatment, recuperation, or therapy, is otherwise in outpatient status, or is otherwise on the temporary disability retired list, for a serious injury or illness incurred or aggravated in the line of duty on active duty. These provisions apply to the families of members of both the active duty and reserve components of the Armed Forces. The expansion of these requirements, updating of regulation, and rising enforcement by private plaintiffs and the government make it advisable that businesses take all necessary steps to ensure their employment practices, employee benefit plans, fringe benefit programs and other practices are updated and administered to comply with the current requirements of VEVRRA, USERAA, SSCRA, the FMLA and other applicable federal and state laws.
Special care also generally is needed when designing and administering employment based health benefit programs to avoid violating federal eligibility rules prohibiting discrimination against service members, to properly offer continuation coverage and reinstatement during and following periods of service by employees and family members, and to avoid improper denial of coverage or coordination of benefit rules with military and veteran health benefits.
Given the potential liabilities that can result from noncompliance with these and other federal employment rules and requirements protecting active military and veteran service men and women, U.S. employer generally should reconfirm and carefully monitor and document their compliance with these laws to minimize their liability exposure. Where employers use subcontractors or otherwise outsource work, these businesses also should consider require their subcontractors and other service providers to contract to comply with these requirements, to supply data and other documentation that the employer might need to complete reports or otherwise defend its compliance, to cooperate in audits and other investigations, and to participate and cooperate with employer initiated compliance audits as well as government audits and investigations.
Need more information about veterans’ employment or other Human Resources, employee benefits, compensation or other performance and compliance management, check out the extensive training and other resources available on the author’s website or contact the author, Cynthia Marcotte Stamer.
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of management focused employment, employee benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.
Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer has advised, trained, coached and defended businesses, employee benefit plans and others, published, and problem solved on opportunities and challenges relating to employment, benefits consumer, health care, disability and other rights and needs of active duty and veteran service people and their families.
Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors; domestic and international public and private health care, education and other community service and care organizations; managed care organizations; insurers, third-party administrative services organizations and other payer organizations; and other private and government organizations and their management leaders.
Throughout her 30 plus year career, Ms. Stamer has continuously worked with these and other management clients to design, implement, document, administer and defend hiring, performance management, compensation, promotion, demotion, discipline, reduction in force and other workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government, accreditation and quality organizations, regulatory and contractual audits, private litigation and other federal and state reviews, investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; prepare and present training and discipline; handle workforce and related change management associated with mergers, acquisitions, reductions in force, re-engineering, and other change management; and a host of other workforce related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, bankruptcy and other crisis and change management; management, and other opportunities and challenges arising in the course of workforce and other operations management to improve performance while managing workforce, compensation and benefits and other legal and operational liability and performance.
Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, heavily involved in health benefit, health care, health, financial and other information technology, data and related process and systems development, policy and operations throughout her career, and scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues. She regularly helps employer and other health benefit plan sponsors and vendors, health industry, insurers, health IT, life sciences and other health and insurance industry clients design, document and enforce plans, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors and suppliers; deal with Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA, state insurance law and other private payer rules and requirements; contracting; licensing; terms of participation; medical billing, reimbursement, claims administration and coordination, and other provider-payer relations; reporting and disclosure, government investigations and enforcement, privacy and data security; and other compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; HIPAA health care, financial, tax, HR and technology, privacy, data security and breach; health care, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA, HEDIS and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; 1557 and other Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.
A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.
Author of leading works on a multitude of labor and employment, compensation and benefits, internal controls and compliance, and risk management matters and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.
For more information about Ms. Stamer or her services, experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as the following:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. We also invite you to join the discussion of these and other human resources, health and other employee benefit and patient empowerment concerns by participating and contributing to the discussions in our Health Plan Compliance Group or COPE: Coalition On Patient Empowerment Groupon LinkedIn or Project COPE: Coalition on Patient Empowerment Facebook Page.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
Employers, health plans and others concerned about managing the high medical, disability and other costs of Type 2 Diabetes should use today’s annual Diabetes Awareness Day observances and resources to beef up their efforts and tools.
With 1 in 3 adult Americans at risk for Type 2 diabetes, the Centers for Disease Control (“CDC”) and other public and private organizations partnering in The National Diabetes Prevention Program are urging all Americans, their health plans, state and local agencies and communities to protect themselves and join their fight to prevent or delay Type 2 diabetes.
Celebrated every year on the fourth Tuesday in March, Diabetes Alert Day promotes awareness of the prevalence and risks of undiagnosed or unmanaged Type 2 Diabetes to Americans, American taxpayers, health benefit programs and their communities.
More than 30 million people in the United States have diabetes and an additional 84 million adults—over a third—have prediabetes, and 90% of them don’t know they have it.
Diabetes is the 7th leading cause of death in the United States (and may be underreported).
Type 2 diabetes accounts for about 90% to 95% of all diagnosed cases of diabetes; type 1 diabetes accounts for about 5%.
In the last 20 years, the number of adults diagnosed with diabetes has more than tripled as the American population has aged and become more overweight or obese
Undiagnosed or unmanaged Type 2 diabetes threatens serious and disabling medical risks for afflicted individuals that also are financially costly for patients and their families, their health plans, taxpayers and communities.
Type 2 diabetes usually starts during adulthood; however, children, teens, and young adults increasingly also are developing it. Since Type 2 diabetes symptoms often develop over several years and can go on for a long time without being noticed it’s important individuals know the factors for Type 2 Diabetes and that people with these symptoms visit their doctor promptly.
Fortunately, Type 2 Diabetes and its costs often can be prevented or minimized through appropriate diagnosis and treatment. That’s why the CDC and its partners are urging all Americans, the employers, health plans, health care providers and communities to join the fight against Type 2 Diabetes.
To start with, the CDC and its partners ask every American to learn their risk for diabetes by taking the online Type 2 Diabetes Risk and promote use of CDC-recognized lifestyle change programs to individuals suffering or at risk for Type 2 diabetes.
The CDC and its partners also are asking American families, health care providers, employers and their health benefit programs, federal, local and state governments and communities to help identify and get people at risk or suffering from Type 2 diabetes involved in making appropriate lifestyle changes and other activities to help manage their Type 2 Diabetes and offers a multitude of free tools and resources to help promote Type 2 Diabetes Awareness and assist in its prevention and treatment.
Employers and their health plans and insurers should consider participating in Diabetes Alert Day and using some of the resources provided by CDC and other partners to beef up their Type 2 and other Diabetes prevention, screening and management efforts. Appropriate use of these resources could help mitigate exposure to the high medical, disability, productivity and other costs that employers and their health plans generally incur when employees or their family members suffer from undiagnosed or unmanaged diabetes. When utilizing these resources, however, employers and their health plan fiduciaries, insurers and administrators are reminded to use care to implement and administer these wellness and other programs in a manner that complies with the Americans With Disabilities Act (“ADA”), Health Insurance Portability & Accountability Act, Internal Revenue Code and other federal and state requirements concerning the design and administration of wellness and disease management programs including recent updates in the Equal Employment Opportunity Commission’s regulations and enforcement positions under the ADA.
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of management focused employment, employee benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.
Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors; domestic and international public and private health care, education and other community service and care organizations; managed care organizations; insurers, third-party administrative services organizations and other payer organizations; and other private and government organizations and their management leaders.
Throughout her 30 plus year career, Ms. Stamer has continuously worked with these and other management clients to design, implement, document, administer and defend hiring, performance management, compensation, promotion, demotion, discipline, FMLA and other leave, reduction in force and other workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government, accreditation and quality organizations, regulatory and contractual audits, private litigation and other federal and state reviews, investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; prepare and present training and discipline; handle workforce and related change management associated with mergers, acquisitions, reductions in force, re-engineering, and other change management; and a host of other workforce related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, bankruptcy and other crisis and change management; management, and other opportunities and challenges arising in the course of workforce and other operations management to improve performance while managing workforce, compensation and benefits and other legal and operational liability and performance.
Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, heavily involved in health benefit, health care, health, financial and other information technology, data and related process and systems development, policy and operations throughout her career, and scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues. She regularly helps employer and other health benefit plan sponsors and vendors, health industry, insurers, health IT, life sciences and other health and insurance industry clients design, document and enforce plans, practices, policies, systems and solutions; manage regulatory, contractual and other legal and operational compliance; vendors and suppliers; deal with Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA, state insurance law and other private payer rules and requirements; contracting; licensing; terms of participation; medical billing, reimbursement, claims administration and coordination, and other provider-payer relations; reporting and disclosure, government investigations and enforcement, privacy and data security; and other compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; audits, investigations, enforcement and defense; Civil Rights; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns.
A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.
Author of leading works on a multitude of labor and employment, compensation and benefits, internal controls and compliance, and risk management matters and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.
For more information about Ms. Stamer or her experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as the following:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
The planned shift to demand greater interoperability promises to create new demands for employer-sponsored health plans, health insurers and others involved in the healthcare delivery and payment processes. Health plans and their insurers and sponsors should begin preparing for these new demands, as well as to leverage the new opportunities and manage the new risks they will create.
The Report describes barriers, actions taken, and recommendations as well as ONC’s path forward to implement the 21st Century Cures Act.
Under the 21st Century Cures Act, Congress gave HHS authority to enhance innovation, scientific discovery, and expand the access and use of health information through provisions related to:
The development and use of upgraded health IT capabilities;
Transparent expectations for data sharing, including through open application programming interfaces (APIs); and
Improvement of the health IT end user experience, including by reducing administrative burden.
These priorities seek to increase nationwide interoperability of health information and reduce clinician burden..
Current Status
The Report says increases in the adoption of health IT means most Americans receiving health care services now have their health data recorded electronically. However, this information is not always accessible across systems and by all end users—such as patients, health care providers, and payers—in the market in productive ways. For example:
Despite the individual right to access health information about themselves established by the HIPAA Privacy Rule, patients often lack access to their own health information, which hinders their ability to manage their health and shop for medical care at lower prices;
Health care providers often lack access to patient data at the point of care, particularly when multiple health care providers maintain different pieces of data, own different systems, or use health IT solutions purchased from different developers; and
Payers often lack access to clinical data on groups of covered individuals to assess the value of services provided to their customers.
The Report says these limitations create several problems, including:
Patients should be able to easily and securely access their medical data through their smartphones. Currently, patients electronically access their health information through patient portals that prevent them from easily pulling from multiple sources or health care providers. Patient access to their electronic health information also requires repeated use of logins and manual data updates.
For health care providers and payers, interoperable access and exchange of health records is focused on accessing one record at a time.
Payers cannot effectively represent their members if they lack computational visibility into which health care providers offer the highest quality care at the lowest cost. Without the capability to access multiple records across a population of patients, health care providers and payers will not benefit from the value of using modern computing solutions—such as machine learning and artificial intelligence—to inform care decisions and identify trends.
Payers and employer group health plans which purchase health care have little information on health outcomes. Often, health care providers and payers negotiate contracts based on the health care provider’s reputation rather than on the quality of care that health care provider offers to patients. Health care providers should instead compete based on the entire scope of the quality and value of care they provide, not on how exclusively they can craft their networks. Outcome data will allow payers to apply machine learning and artificial intelligence to have better insight into the value of the care they purchase.
Current Barriers
According to the Report, HHS heard from stakeholders over the past year that barriers to interoperable access to health information remain, including technical, financial, trust, and business practice barriers. These barriers impede the movement of health information to where it is needed across the care continuum. In addition, burden arising from quality reporting, documentation, administrative, and billing requirements that prescribe how health IT systems are designed also hamper the innovative usability of health IT.
Current and Upcoming Actions
The Report states HHS has many efforts to help ensure that electronic health information can be shared safely and securely where appropriate to improve the health and care of all Americans.
ONC also reports Federal agencies, states, and industry have taken steps to address technical, trust, and financial challenges to interoperable health information access, exchange, and use for patients, health care providers, and payers (including insurers). HHS aims to build on these successes through the ONC Health IT Certification Program, HHS rulemaking, health IT innovation projects, and health IT coordination.
In accordance with the Cures Act, HHS is actively leading and coordinating a number of key programs and projects. These include continued work to deter and penalize poor business practices and that HHS conducted multiple outreach efforts to engage the clinical community and health IT stakeholders to better understand these barriers, challenges, and health care provider burden.
Recommendations
The Report makes the following overarching recommendations for future actions HHS plans to support through its policies and that the health IT community as a whole can take to accelerate progress:
Focus on improving interoperability and upgrading technical capabilities of health IT, so patients can securely access, aggregate, and move their health information using their smartphones (or other devices) and health care providers can easily send, receive, and analyze patient data.
Increase transparency in data sharing practices and strengthen technical capabilities of health IT so payers can access population-level clinical data to promote economic transparency and operational efficiency to lower the cost of care and administrative costs.
Prioritize improving health IT and reducing documentation burden, time inefficiencies, and hassle for health care providers, so they can focus on their patients rather than their computers.
The Report also says interoperable access underpins HHS’s efforts to pursue a health care system where data are available when and where needed.
ONC intends to particularly focus on promoting open APIs. Open APIs are technology that allow one software program to access the services provided by another software program and can improve access and exchange of health information. ONC says APIs can:
Support patients’ ability to have more access to information electronically through, for example, smartphones and mobile applications. HHS applauds the emergence of patient-facing applications that allow patients to access, aggregate, and act on their health information; and
Allow payers to receive necessary and appropriate information on a group of members without having to access one record at a time.
Increase institutional accountability, support value- based care models, and lead to competitive medical care pricing that benefits patients.
The Report claims patients, health care providers, and payers with appropriate access to health information can use modern computing solutions to generate value from the data. Improved interoperability can strengthen market competition, result in greater quality, safety, and value for the healthcare system, and enable patients, health care providers, and payers to experience the benefits of health IT.
Prepare For Enhanced Operability Requirements
ONC’s plan to achieve greater interoperability presents new business and compliance planning opportunities and challenges for health care providers, health insurers and other payers, health data and information technology (IT) providers and others. Among other things, participants in the healthcare system and their suppliers will need to prepare to comply with new expectations and mandates for interoperability. Meeting these demands will require financial expenditures as well as present technological challenges.The increased availability and accessto electronica medical records and information resulting from these changes also a can be expected to drive new challenges and demands. Among other things, businesses relying on control of health information or records to influence or control patience, reimbursement, or other business value need to reevaluate and adjust their business models accordingly.
Improve accessibility and interoperability also is likely to create new expectations and demands by patients, payers, other providers and perhaps most significantly for providers and payers, regulators. Participants in the system will need to understand these applications and prepare to both defend their business performance as well as their compliance taking into account these new demands.
Amid all of this, of course, providers, pears, and their business associates can anticipate continued if not enhanced demands for enhanced data security and privacy protections and accompanying enforcement of these standards.
As ONC move forward on its plans to enhance interoperability, all concerned stakeholders will want to monitor developments and provide thoughtful and timely input. The time to get started is now. ONC and it’s sister agency, the Office of Civil Rights currently are inviting public comments about how to achieve these and other health IT and privacy improvements. Those interested in providing input should make sure their comments are submitted by the applicable deadlines next month.
ONC and it’s sister agency, the Office of Civil Rights currently are inviting public comments about how to achieve these and other health IT and privacy improvements. Read the full Report here and share your input by the specified deadlines.
About the Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of managed care and other health industry, health and other benefit and insurance, workforce and other management work, public policy leadership and advocacy, coaching, teachings, and publications.
Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer has been continuously involved the design, regulation, administration and defense of managed care and other health and employee benefit, health care, human resources and other staffing and workforce arrangements, contracts, systems, and processes. As a continuous component of this work, Ms. Stamer has worked closely with these and other clients on the design, development, administration, defense, and breach and data recovery of health care, workforce, insurance and financial services, trade secret and other information technology, data and related process and systems development, policy and operations throughout her career.
Scribe of the ABA JCEB annual Office of Civil Rights agency meeting, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues.
Ms. Stamer’s clients include employers and other workforce management organizations; employer, union, association, government and other insured and self-insured health and other employee benefit plan sponsors, benefit plans, fiduciaries, administrators, and other plan vendors; managed care organizations, insurers, self-insured health plans and other payers and their management; public and private, domestic and international hospitals, health care systems, clinics, skilled nursing, long-term care, rehabilitation and other health care providers and facilities; medical staff, health care accreditation, peer review and quality committees and organizations; managed care organizations, insurers, third-party administrative services organizations and other payer organizations; billing, utilization management, management services organizations; group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; claims, billing and other health care and insurance technology and data service organizations; other health, employee benefit, insurance and financial services product and solutions consultants, developers and vendors; and other health, employee benefit, insurance, technology, government and other management clients.
A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in pensions, healthcare, workforce, immigration, tax, education and other areas, Ms. Stamer has been extensively involved in U.S. federal, state and local health care and other legislative and regulatory reform impacting these concerns throughout her career. Her public policy and regulatory affairs experience encompasses advising and representing domestic and multinational private sector health, insurance, employee benefit, employer, staffing and other outsourced service providers, and other clients in dealings with Congress, state legislatures, and federal, state and local regulators and government entities, as well as providing advice and input to U.S. and foreign government leaders on these and other policy concerns.
Beyond her public policy and regulatory affairs involvement, Ms. Stamer also has extensive experience helping these and other clients to design, implement, document, administer and defend workforce, employee benefit, insurance and risk management, health and safety, and other programs, products and solutions, and practices; establish and administer compliance and risk management policies; comply with requirements, investigate and respond to government; accreditation and quality organizations; private litigation and other federal and state health care industry investigations and enforcement actions; evaluate and influence legislative and regulatory reforms and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns. Ms. Stamer’s experience in these matters includes supporting these organizations and their leaders on both a real-time, “on demand” basis with crisis preparedness, intervention and response as well as consulting and representing clients on ongoing compliance and risk management; plan and program design; vendor and employee credentialing, selection, contracting, performance management and other dealings; strategic planning; policy, program, product and services development and innovation; mergers, acquisitions, and change management; workforce and operations management, and other opportunities and challenges arising in the course of their operations.
Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending plan sponsors, administrators, insurance and managed care organizations, health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and employer and association group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions. Scribe for the ABA JCEB annual agency meeting with HHS OCR, she also has worked extensively on health and health benefit coding, billing and claims, meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical, workforce, consumer financial and other data confidentiality and privacy, federal and state data security, data breach and mitigation, and other information privacy and data security concerns.
Author of leading works on a multitude of health care, health plan and other health industry matters, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative and CLE and Marketing Committee Chair, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer’s health industry clients include public health organizations; public and private hospitals, healthcare systems, clinics and other health care facilities; physicians, physician practices, medical staff, and other provider organizations; skilled nursing, long-term care, assisted living, home health, ambulatory surgery, dialysis, telemedicine, DME, Pharma, clinics, and other health care providers; billing, management and other administrative services organizations; insured, self-insured, association and other health plans; PPOs, HMOs and other managed care organizations, insurance, claims administration, utilization management, and other health care payers; public and private peer review, quality assurance, accreditation and licensing; technology and other outsourcing; healthcare clearinghouse and other data; research; public and private social and community organizations; real estate, technology, clinical pathways, and other developers; investors, banks and financial institutions; audit, accounting, law firm; consulting; document management and recordkeeping, business associates, vendors, and service providers and other professional and other health industry organizations; academic medicine; trade associations; legislative and other law making bodies and others.
A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about contracting, credentialing and quality assurance, compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Author of works on Payer and Provider Contracting and many other managed care concerns, Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.
For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advise or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
Health plans, their employer and other sponsors and fiduciaries, health insurers, health care providers, health care clearinghouses and their business associates should study and learn from the just announced, record-setting $16 million resolution agreement between health insurance giant, Anthem, Inc., to resolve Department of Health & Human Services Office of Civil Rights (OCR) charges that Anthem, Inc.’s violations of the Health Insurance Portability & Accountability Act (HIPAA) Privacy and Security Rules exposed the electronic protected health information (ePHI) of almost 79 million people. In addition to reviewing the adequacy of their own HIPAA privacy and security practices, health plans, their employer and union sponsors and fiduciaries also should consider assessing the advisability of tightening their business associate and other agreements with health insurers, third party administrative services providers and other vendors in light of the resolution agreement and experiences arising out of the Anthem breach to better position themselves to assess and enforce HIPAA compliance, receive notice and respond in the event of an insurer or other vendor breach and mitigate financial costs and liabilities resulting from breaches or other compliance deficiencies.
Anthem’s Record Setting HIPAA Breach & Resolution Agreement
The settlement agreement announced October 15, 2018 by OCR requires Anthem, Inc. to pay a $16 million resolution payment to OCR and take a series of corrective actions to resolve HIPAA liabilities to OCR for allowing the largest known U.S. health data breach in history in 2015. The record $16 million resolution payment eclipses the prior record resolution payment of $5.55 million Memorial Healthcare System (MHS) paid OCR to settle HIPAA charges in 2016. Moreover, the $16 million resolution payment it’s just a small portion of the amount that Anthem has been required to shell out as a consequence of the breach. In addition to the $16 million paid under the OCR resolution agreement, anthem already has paid more than $115 million to settle lawsuits arising out of the breach under other laws.
An independent licensee of the Blue Cross and Blue Shield Association and one of the nation’s largest health benefits companies, Anthem provides medical care coverage to one in eight Americans through its affiliated health plans. The breach that resulted in the settlement agreement affected ePHI Anthem maintained for its affiliated health plans including many employer or union sponsored self-insured and insured group health plans and other HIPAA-covered entity health plans.
On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights that disclosed that Anthem discovered on January 29, 2015 that cyber-attackers had gained access to and engaged in continuous and targeted cyberattack on Anthem’s IT system for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. After filing its breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.
In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.
In addition to the consequences for the millions of individuals whose ePHI was disclosed through the breach, the breach also triggered responsibilities and concerns for fiduciaries and sponsors of the employer and union-sponsored group health plans administered or insured by Anthem. Sponsors and fiduciaries of private sector employer or union sponsored plans struggled to obtain information and cooperation from Anthem necessary to evaluate and fulfill their health plans’ HIPAA obligations as well as the fiduciary responsibility requirements of the Employee Retirement Income Security Act (ERISA).
In addition to the $16 million settlement that Anthem is paying to resolve OCR’s HIPAA charges stemming from the breach, the OCR settlement agreement also requires Anthem to undertake a robust corrective action plan to comply with the HIPAA Rules.
Health Plans, Sponsors, Fiduciaries & Vendors Should Act To Manage Compliance & Risks
Unquestionably, other health insurers, employer, union and association sponsored group health plans, and their vendors and business associates should evaluate the adequacy and defensibility of their own health plan privacy and security practices in light of the Anthem breach and resolution agreement. In addition, employer, union or association health plan sponsors, administrative service providers and fiduciaries also should consider the advisability of strengthening their business associate agreements with insurers, third party administrators and other health plan service providers to incorporate safeguards, audit, oversight or other provisions and practices to help prudently monitor potential risks and improve their ability to receive timely notice, respond to, and preserve rights of recourse against insurers or other vendors in the event of a breach or other deficiency.
About The Author
A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C, Cynthia Marcotte Stamer’s more than 30 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.
Board certified in labor and employment law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, Scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) Annual Agency Meeting with the Office of Civil Rights and a former JCEB Council Representative; former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; and past Chair, former Welfare Benefit Committee Co-Chair and current Fiduciary Responsibility Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, former Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on HIPAA and other health care, managed care and insurance, and other employee benefit, human resources, and related antitrust, corporate, privacy and data security, tax and other internal controls, regulatory affairs and public policy concerns.
Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international health, insurance and financial security, and other businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.
In this respect, Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, regulatory compliance and operational and performance management. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.
Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes.
As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help health industry, insurance and financial services and other employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compliance and internal controls, risk management, human resources and other workforce performance, discipline, compensation, employee benefits and related programs, products and arrangements.
In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.
Ms. Stamer also is deeply involved in helping to influence the health care, workforce, insurance and financial services, employee benefit, privacy and data security and other federal, state and local laws, regulations and enforcement actions. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health, insurance and financial services, employee benefits and other business, professional and civic organizations.
Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.
Ms. Stamer also has a lifelong history of involvement with and service with a diverse range of professional, community and charitable organizations and causes including as founder and Executive Director of the Coalition for Responsible Health Care Policy and its PROJECT COPE: Coalition for Patient Empowerment; technical advisor to the National Physicians’ Council for Health Care Policy; a founding Board Member and President of the Alliance for Healthcare Excellence and its Patient Empowerment and Health Care Heroes Projects; a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; a member of the Dallas United Way Long Range Planning Committee; as well as leadership involvement in the ABA Joint Committee on Employee Benefits Council, the North Texas Healthcare Compliance Professionals Association; the ABA RPTE Employee Benefits & Other Compensation Committee, the ABA Health Law Section, the ABA International Section Life Sciences Committee, and the ABA TIPS Employee Benefit Committee; TEGE Coordinator of the Gulf Coast TEGE Council TE Division; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association; Dallas, Regional and State BACPAC Chair of the Texas Association of Business; SHRM Regional Chair and National Advisory Board Chair; WEB Network of Benefits Professionals National and Dallas Boards; as a contributing author and the Advisory Board member of the BNA EBCD CD, InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications and as chair or planning faculty of a multitude of symposia.. For additional information about Ms. Stamer, see www.cynthiastamer.com, or contact Ms. Stamer via email here or via telephone to (214) 452.8297.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.
President Trump today (October 12, 2017) issued the following that he promised to be the first in a series of executive orders and other administrative actions that his administration will roll out to provide Obamacare relief for consumers, employers and others by promoting healthcare choice and competition given the continued difficulty by the Republican-led Congress to pass legislation repealing or replacing the health care law.
On the heels of his announcement of the Executive Order, President Trump moved forward on his promise to take other action on Obamacare by announcing that the Administration will not continue funding for individual subsidies that currently are continued under an Obama Administration action in the absence of Congressional action funding those subsidies.
Concerned parties should monitor and inform themselves about proposed changes in the Executive Order and other actions as they are proposed and develop, and provide timely comments and other input to help influence the shape and content of any changes proposed or adopted in response to the Executive Order. Solutions Law Press, Inc. will be monitoring developments. Stay tuned for updates.
Language of Executive Order
By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:
Section 1. Policy.
(a) It shall be the policy of the executive branch, to the extent consistent with law, to facilitate the purchase of insurance across State lines and the development and operation of a healthcare system that provides high-quality care at affordable prices for the American people. The Patient Protection and Affordable Care Act (PPACA), however, has severely limited the choice of healthcare options available to many Americans and has produced large premium increases in many State individual markets for health insurance. The average exchange premium in the 39 States that are using http://www.healthcare.gov in 2017 is more than double the average overall individual market premium recorded in 2013. The PPACA has also largely failed to provide meaningful choice or competition between insurers, resulting in one-third of America’s counties having only one insurer offering coverage on their applicable government-run exchange in 2017.
(b) Among the myriad areas where current regulations limit choice and competition, my Administration will prioritize three areas for improvement in the near term: association health plans (AHPs), short-term, limited-duration insurance (STLDI), and health reimbursement arrangements (HRAs).
(i) Large employers often are able to obtain better terms on health insurance for their employees than small employers because of their larger pools of insurable individuals across which they can spread risk and administrative costs. Expanding access to AHPs can help small businesses overcome this competitive disadvantage by allowing them to group together to self-insure or purchase large group health insurance. Expanding access to AHPs will also allow more small businesses to avoid many of the PPACA’s costly requirements. Expanding access to AHPs would provide more affordable health insurance options to many Americans, including hourly wage earners, farmers, and the employees of small businesses and entrepreneurs that fuel economic growth.
(ii) STLDI is exempt from the onerous and expensive insurance mandates and regulations included in title I of the PPACA. This can make it an appealing and affordable alternative to government-run exchanges for many people without coverage available to them through their workplaces. The previous administration took steps to restrict access to this market by reducing the allowable coverage period from less than 12 months to less than 3 months and by preventing any extensions selected by the policyholder beyond 3 months of total coverage.
(iii) HRAs are tax-advantaged, account-based arrangements that employers can establish for employees to give employees more flexibility and choices regarding their healthcare. Expanding the flexibility and use of HRAs would provide many Americans, including employees who work at small businesses, with more options for financing their healthcare.
(c) My Administration will also continue to focus on promoting competition in healthcare markets and limiting excessive consolidation throughout the healthcare system. To the extent consistent with law, government rules and guidelines affecting the United States healthcare system should:
(i) expand the availability of and access to alternatives to expensive, mandate-laden PPACA insurance, including AHPs, STLDI, and HRAs;
(ii) re-inject competition into healthcare markets by lowering barriers to entry, limiting excessive consolidation, and preventing abuses of market power; and
(iii) improve access to and the quality of information that Americans need to make informed healthcare decisions, including data about healthcare prices and outcomes, while minimizing reporting burdens on affected plans, providers, or payers.
Sec. 2. Expanded Access to Association Health Plans.
Within 60 days of the date of this order, the Secretary of Labor shall consider proposing regulations or revising guidance, consistent with law, to expand access to health coverage by allowing more employers to form AHPs. To the extent permitted by law and supported by sound policy, the Secretary should consider expanding the conditions that satisfy the commonality‑of-interest requirements under current Department of Labor advisory opinions interpreting the definition of an “employer” under section 3(5) of the Employee Retirement Income Security Act of 1974. The Secretary of Labor should also consider ways to promote AHP formation on the basis of common geography or industry.
Sec. 3. Expanded Availability of Short-Term, Limited‑Duration Insurance.
Within 60 days of the date of this order, the Secretaries of the Treasury, Labor, and Health and Human Services shall consider proposing regulations or revising guidance, consistent with law, to expand the availability of STLDI. To the extent permitted by law and supported by sound policy, the Secretaries should consider allowing such insurance to cover longer periods and be renewed by the consumer.
Sec. 4. Expanded Availability and Permitted Use of Health Reimbursement Arrangements.
Within 120 days of the date of this order, the Secretaries of the Treasury, Labor, and Health and Human Services shall consider proposing regulations or revising guidance, to the extent permitted by law and supported by sound policy, to increase the usability of HRAs, to expand employers’ ability to offer HRAs to their employees, and to allow HRAs to be used in conjunction with nongroup coverage.
Sec. 5. Public Comment.
The Secretaries shall consider and evaluate public comments on any regulations proposed under sections 2 through 4 of this order.
Within 180 days of the date of this order, and every 2 years thereafter, the Secretary of Health and Human Services, in consultation with the Secretaries of the Treasury and Labor and the Federal Trade Commission, shall provide a report to the President that:
(a) details the extent to which existing State and Federal laws, regulations, guidance, requirements, and policies fail to conform to the policies set forth in section 1 of this order; and
(b) identifies actions that States or the Federal Government could take in furtherance of the policies set forth in section 1 of this order.
Sec. 7. General Provisions.
(a) Nothing in this order shall be construed to impair or otherwise affect:
(i) the authority granted by law to an executive department or agency, or the head thereof; or
(ii) the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.
(b) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.
(c) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
DONALD J. TRUMP
THE WHITE HOUSE,
October 12, 2017
Implications & Actions
The impact of this and other Executive Orders and other Presidential actions depend upon what actions, if any, the agencies determine they are allowed by law to take and how those changes are implemented. Concerned persons and organizations should begin preparing input to the agencies and monitoring and commenting on proposals and other guidance to help shape the outcome.
Solutions Law Press, Inc. is preparing initial analysis of this Executive Order and will be closely monitoring and updating this analysis. Follow up to learn more and stay abreast of new developments.
About The Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for management work, coaching, teachings, and publications.
Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.
Well-known for her extensive work with health, insurance, financial services, technology, energy, manufacturing, retail, hospitality, governmental and other highly regulated employers, her nearly 30 years’ of experience encompasses domestic and international businesses of all types and sizes. Author of numerous works on privacy and data security, Ms. Stamer‘s experience includes involvement in cyber security and other data privacy and security matters for more than 20 years.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a management consultant, business coach and consultant and policy strategist as well through her leadership participation in professional and civic organizations such her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.
Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.
Want to know more? See here for details about the author of this update, attorney Cynthia Marcotte Stamer, e-mail her here or telephone Ms. Stamer at (469) 767-8872.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com such as the following:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
As businesses continue to struggle to comply with the growing plethora of federal and state laws mandating data security, the identity theft and cyber security epidemic keeps growing.
As human resources and other business leaders work to guard their own data and respond to employee demands for assistance in responding to breaches of their personal financial and other data, this weeks’ announcement that embattled credit monitoring giant Equifax has been awarded the exclusive contract to provide taxpayer identification and fraud prevention services to the Internal Revenue Service has many questioning whether these investments are futile.
The IRS’ announcement comes despite the September 7, 2017 announcement by Equifax of a data breach of its records impacting sensitive personal information of millions of consumers including:
The names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of an estimated 143 million U.S. consumers;
Credit card numbers for approximately 209,000 U.S. consumers,
Certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers,and
Personal information for certain U.K. and Canadian consumers.
The huge breach already was creating many headaches for many businesses and their human resources departments before the IRS announced the award of the contract to Equifax. Due to the massive size of the breach, mist companies have been required to respond to concerns of workers impacted directly by the breach as well as requests of employees and identity theft protection companies that the business consider offering cybersecurity protection for employees or customers.
Beyond helping their workforce understand and cope with the news, many businesses and employee benefit plans also face the added headache of needing to investigate and respond to concerns about their own potential responsibilities to provide breach notification or take other actions. This added headache arises due to their or their plans’ use of Equifax or vendors utilizing Equifax to run employee or vendor background checks or carry out internal employee or employee benefit plan, customer or other business activities. These involvements often give rise to duties to conduct investigations and potentially provide notification or other responses to employees, applicants, benefit plan members, contractors or customers whose data may have been impacted under the Fair and Accurate Credit Transactions Act (FACTA), the Health Insurance Portability and Accountability Act (HIPAA), the Employee Retirement Income Security Act (ERISA) Fiduciary Responsibility rules or various other federal and state laws and regulations, vendor contracts or their own data privacy or security policies.
When notification is recommended or required, human resources and other business leaders also have to consider if modifications should be considered to standard protocols recommended to data breach victims. Notification and registration as an identity theft victim with Equifax long has been a standard part of the federal and state government recommended protocol for recommended to consumers impacted by identity theft or other data breaches. See,e.g., IRS Taxpayer Guide To Identity Theft. Although government agencies as of yet have not changed this recommendation to remove Equifax reporting, many consumers and others view reporting to Equifax as akin to the fox watching the hen house. Consequently, employers and other parties helping consumers respond to the breach often receive push back or questions from consumers about the appropriateness and security reporting to Equifax in light of its breach.
Beyond evaluating and handling their own legal responsibilities to investigate and deal with any breach impacting their data, employers and other business leaders also likely are or should consider what claims against Equifax, other vendors and business partners involved with Equifax and their own liability insurers are available and warranted to help cover the costs and potential liabilities for the business arising from the breach and it’s fall out.
As employers and other businesses work through these issues, They should keep in mind that the fallout is likely to continue for years and be further complicated by past and subsequent breaches impacting other governmental and private organizations. Human resources, employee benefits and other businesses and their leaders can expect to experience challenges dealing with fraudulent uses of misappropriated information as well as demands that they tighten up their background check, data security and usage and other practices and documentation to mitigate risks from the compromised data.
Human resources, employee benefits and other business leaders need to secure the assistance of counsel experienced in guiding their organizations through these and other challenges.
About The Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for management work, coaching, teachings, and publications.
Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.
Well-known for her extensive work with health, insurance, financial services, technology, energy, manufacturing, retail, hospitality, governmental and other highly regulated employers, her nearly 30 years’ of experience encompasses domestic and international businesses of all types and sizes. Author of numerous works on privacy and data security, Ms. Stamer‘s experience includes involvement in cyber security and other data privacy and security matters for more than 20 years.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a management consultant, business coach and consultant and policy strategist as well through her leadership participation in professional and civic organizations such her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.
Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.
Want to know more? See here for details about the author of this update, attorney Cynthia Marcotte Stamer, e-mail her here or telephone Ms. Stamer at (469) 767-8872.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com such as the following:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
Individual Americans that don’t maintain their and their dependents’ enrollment in at least minimum essential coverage in a health program meeting the requirements of the Patient Protection & Affordable Care Act commonly referred to as “Obama Care” still generally should expect to pay individual shared responsibility tax penalties imposed by Obamacare.
Despite campaign promises to quickly repeal or reform Obamacare, the Republican controlled Congress has been unable to pass legislation repealing the individual tax penalty or other Obamacare coverage mandate related rules. Moreover, contrary to the impression widely held by many Americans that President Trump’s January 20 Executive Order protects uncovered individuals from the tax imposed under Internal Revenue Code Section 5001A, the Internal Revenue Service still plans to enforce and collect the tax. See here. Consequently, Internal Revenue Code Section 5001A still generally requires uncovered taxpayers to pay the individual shared responsibility payment.
This means that taxpayers not enrolled in minimum essential coverage or otherwise exempt from the individual responsibility payment need to be prepared to pay the tax.
In anticipation of enforcement of the individual shared responsibility tax, the Internal Revenue Service just set the monthly national average premium for qualified health plans that have a bronze level of coverage offered through Exchanges at $272 per individual and the maximum monthly national average premium for qualified health plans with a bronze level of coverage offered through Exchanges at $1,360 for a shared responsibility family with five or more members. The Internal Revenue Service intends that these amounts will be used to calculate individual shared responsibility tax penalties for 2017. The updated amounts are published in Rev. Proc. 2017-48
In general, the individual responsibility tax equals the lesser of (1) the sum of the monthly penalty amounts, or (2) the sum of the monthly national average bronze plan premiums for the shared responsibility family. See § 1.5000A-4(a). The monthly national average bronze plan premium means, for a month for which a shared responsibility payment is imposed, 1/12 of the annual national average premium for qualified health plans that (1) have a bronze level of coverage, (2) would provide coverage for the taxpayer’s shared responsibility family members, and (3) are offered through Exchanges for plan years beginning in a calendar year with or within which the taxable year ends. §§ 5000A(c)(1)(B) and 1.5000A-4(c). For this purpose, “shared responsibility family” means, for a month in a taxable year, all nonexempt individuals for whom the taxpayer and the taxpayer’s spouse, if the taxpayer is married and files a joint return with the spouse, are liable for the shared responsibility payment under § 5000A for that taxable year. See § 1.5000A-1(d)(17).
Taxpayers who are not enrolled in the necessary health coverage to meet the Obamacare health coverage mandate should evaluate their shared responsibility tax penalty exposure and weigh whether it makes more sense to enroll in qualifying health coverage or prepare to pay the tax.
About The Author
Recognized as “Legal Leader™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” and an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble, singled out as among the “Best Lawyers In Dallas” in employee benefits by D Magazine; Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her nearly 30 years’ of work and pragmatic thought leadership, publications and training on health coverage and health care, health plan and employee benefits, workforce and related regulatory and other compliance, performance management, risk management, product and process development, public policy, operations and other concerns.
Throughout her legal and consulting career, Ms. Stamer has drawn recognition for combining extensive knowledge and experience with her talents as an insightful innovator and problem solver when advising, representing and defending employer and other plan sponsors, insurers, fiduciaries, insurers, electronic and other technology, plan administrators and other service providers, governments and others about health coverage, benefit program design, funding, documentation, administration, data security and use, contracting, plan, public and regulatory reforms and enforcement, and other risk management and operations matters as well as for her work and thought leadership on a broad range of other health, employee benefits, human resources and other workforce, insurance, tax, compliance and other matters. Her experience encompasses leading and supporting the development and defense of innovative new programs, practices and solutions; advising and representing clients on routine plan establishment, plan documentation and contract drafting and review, administration, change and other compliance and operations crisis prevention and response, compliance and risk management audits and investigations, enforcement actions and other dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, Federal Trade Commission, Justice, state legislatures, attorneys general, insurance, labor, worker’s compensation, and other agencies and regulators, She also provides strategic and other supports clients in defending litigation as lead strategy counsel, special counsel and as an expert witness.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Past Group Chair, current Defined Contribution Plan Committee Co-Chair, former Welfare Committee Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, former member of the Board of Directors of the Southwest Benefits Association and others.
Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, the Society of Professional Benefits Administrators, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, serves on the faculty and planning committee of many workshops, seminars, and symposia, and on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.
About Solutions Law Press
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.SolutionsLawPress.com.
If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press™ events, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. For important information concerning this communication, see here.
NOTICE: Any party accessing or using any content obtained from or through Solutions Law Press, Inc.™ acknowledges and agrees that any and all programs, publications, statements and materials presented or published by Solutions Law Press, Inc.™ and any statements or other contents made or contained therein are for general informational and educational purposes only. They are generic in nature and not tailored or intended to be relied upon by any person, business, entity or other party for purposes for determining the legal, financial or other appropriateness, defensibility, suitability, outcome or consequences of any strategy, action, course of action, or any other facts, circumstances, event or conduct. Users of these resources are responsible at all times for independently evluating the suitability of any content, materials, tools or other materials or information accessed from or through Solutions Law Press, Inc. directly or indirectly.
Solutions Law Press, Inc.™ and its authors and contributors do not represent or warrant in any form or manner, and expressly disclaim and deny the appropriateness of the use or reliance of any person or entity on any content, tools or resources accessed or obtained from or through Solutions Law Press, Inc.™ for any general or particular use or purpose by any party under any circumstances.
Likewise, they do not establish an attorney-client relationship or other fiduciary, contractual or other relationship between Solutions Law Press, Inc. and/or any of its authors or contributors and any other party. They are not, and do not serve as a substitute for legal, accounting, tax or other advice. They don’t create or otherwise give rise to any duty, obligation, responsibility on behalf of Solutions Law Press, Inc™ or any provider or offeree of content, tools or services to any party.
Parties accessing or using any of Solutions Law Press, Inc.™ competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The publisher and the author expressly disclaim all liability for this content and any responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
For the 28th year, U.S. News & World Report has published its annual ranking of U.S. hospitals across the country. The 2017-18 Best Hospitals list (List) reports results of U.S. News & World Report’s rating and comparisons of more than 4,500 medical centers across the nation in 25 specialties, procedures and conditions based on the methodology developed and refined annually by U.S. News & World Report and its project partner, RTI International. While U.S. News & World Report touts its lists and findings as a valuable tool for guiding patient care choices, patients and others contemplating using the reported data to help evaluate hospital facilities or make care decisions will want to evaluate carefully the methodology used to derive the lists to assess the relevance of the reported rankings to their needs and purposes.
Based on the methodology specially developed by U.S. News & World Report along with RTI International for purposes of determining the ranking for a particular year, the Report separately evaluates and publishes the lists separately ranking the evaluated facilities based on the following criteria:
2017-18 Best Hospitals Specialty Rankings list
2017-18 Best Hospitals Procedure and Condition Ratings
2017-18 Best Hospitals Honor Roll
2017-18 Best Regional Hospitals
2017-18 Best Children’s Hospitals
The “Best Hospitals Honor Roll” that recognizes 20 hospitals that U.S. News & World Report concluded showed “ unusual competence across a range of adult specialties, procedures and conditions … tak[ing]” into account the full range of adult inpatient care – both performance in the Best Hospitals specialty rankings and in the Best Hospitals procedures and conditions based upon the combined points earned by the ranked hospital using a complicated methodology summarized here. Using this methodology, U.S. News & World Report named the following 20 hospitals to its list of the 2017-18 Best Hospitals Honor Roll:
Mayo Clinic, Rochester, Minn.
Cleveland Clinic
Johns Hopkins Hospital, Baltimore
Massachusetts General Hospital, Boston
UCSF Medical Center, San Francisco
University of Michigan Hospitals and Health Centers, Ann Arbor
Ronald Reagan UCLA Medical Center, Los Angeles
New York-Presbyterian Hospital, N.Y.
Stanford Health Care-Stanford Hospital, Stanford, Calif.
Hospitals of the University of Pennsylvania-Penn Presbyterian, Philadelphia
Cedars-Sinai Medical Center, Los Angeles
Barnes-Jewish Hospital, St. Louis
Northwestern Memorial Hospital, Chicago
UPMC Presbyterian Shadyside, Pittsburgh
University of Colorado Hospital, Aurora
Thomas Jefferson University Hospitals, Philadelphia
Duke University Hospital, Durham, N.C.
Mount Sinai Hospital, New York
NYU Langone Medical Center, New York
Mayo Clinic Phoenix
While no Texas hospitals were named among top 20 hospitals listed on the Best Hospitals Honor Role, U.S. Word & Report ranked the University of Texas MD Anderson Cancer Center as the No. 1 cancer treatment center in the nation.
Within the Texas Region, U.S. News & World Report ranked Houston Methodist Hospital as the “No. 1 hospital in the state of Texas;” UT Southwestern” as the “best hospital in Dallas-Fort Worth,” and “the No. 2 hospital in the state of Texas;” followed by Baylor University Medical Center, Dallas No.3, Baylor St. Luke’s Medical Center Houston, No.4 Memorial Hermann-Texas Medical Center, No.5 and Medical City Dallas Hospital No. 6 on its list of the best hospitals in the state of Texas.
While U.S. News and World Report touts the lists as providing “rich data that patients can use to help them make informed decisions about where to receive surgical or medical care,” patients and others must read and evaluate carefully the explanation of the explanation of methodology used by U.S. News & World Report and RTI International set forth in the 2017-18 Best Hospitals Methodology Report to understand the basis and meanings of the rankings to understand the rankings and their implications. The findings and resulting lists reported are determined both by the data relied upon and the methodology developed and used to derive its findings. For instance, because the report relies heavily upon Medicare data to conduct the analysis, the analysis does not reflect the experience of typical patients under 65. Also, the findings of the report also are impacted by a broad range of other decisions made in the course of deriving the methodology for a particular year and are not necessarily consistent with ranking methodologies used by other ranking or credentialing organizations or even fully consistent with the methodology used by U.S. News & World Report to determine rankings reported for previous years. Accordingly, even U.S. News & World Report acknowledges that the top ranking of a hospital on the list does not necessarily mean that the listed hospital is the best hospital choice for a particular patient or condition as well as acknowledges other rating organization using different criteria and methodologies might reach different ranking results. Accordingly, the publishers state that they view the list as just a “starting point” to help patients decide where to seek care. “Patients still have to do their own research and talk with their doctors” to take into account other patient specific factors including the care needs of the patient, stress and expense of travel and lodging in another city and their insurer’s willingness to pay for care if a hospital is out of network.
Do the reported rankings agree with your experience and expectations? How valuable do you view the U.S. News & World Report list and findings? How do you expect your family or your health plan to use this or other rankings for purposes of guiding or deciding patient care choices? Join the discussion on the Solutions Law Press, Inc. PROJECT COPE: Coalition on Patient Empowerment Facebook page @ProjectCOPECoalition or on LinkedIn in our COPE: Coalition On Patient Empowerment Group .
About The Author
Recognized as “Legal Leader™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” and an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble, singled out as among the “Best Lawyers In Dallas” in employee benefits by D Magazine; Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her nearly 30 years’ of work and pragmatic thought leadership, publications and training on health coverage and health care, health plan and employee benefits, workforce and related regulatory and other compliance, performance management, risk management, product and process development, public policy, operations and other concerns.
Throughout her legal and consulting career, Ms. Stamer has drawn recognition for combining extensive knowledge and experience with her talents as an insightful innovator and problem solver when advising, representing and defending employer and other plan sponsors, insurers, fiduciaries, insurers, electronic and other technology, plan administrators and other service providers, governments and others about health coverage, benefit program design, funding, documentation, administration, data security and use, contracting, plan, public and regulatory reforms and enforcement, and other risk management and operations matters as well as for her work and thought leadership on a broad range of other health, employee benefits, human resources and other workforce, insurance, tax, compliance and other matters. Her experience encompasses leading and supporting the development and defense of innovative new programs, practices and solutions; advising and representing clients on routine plan establishment, plan documentation and contract drafting and review, administration, change and other compliance and operations crisis prevention and response, compliance and risk management audits and investigations, enforcement actions and other dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, Federal Trade Commission, Justice, state legislatures, attorneys general, insurance, labor, worker’s compensation, and other agencies and regulators, She also provides strategic and other supports clients in defending litigation as lead strategy counsel, special counsel and as an expert witness.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Past Group Chair, current Defined Contribution Plan Committee Co-Chair, former Welfare Committee Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, former member of the Board of Directors of the Southwest Benefits Association and others.
Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, the Society of Professional Benefits Administrators, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, serves on the faculty and planning committee of many workshops, seminars, and symposia, and on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.
About Solutions Law Press
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.SolutionsLawPress.com.
If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press™ events, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. For important information concerning this communication, see here.
NOTICE: Any party accessing or using any content obtained from or through Solutions Law Press, Inc.™ acknowledges and agrees that any and all programs, publications, statements and materials presented or published by Solutions Law Press, Inc.™ and any statements or other contents made or contained therein are for general informational and educational purposes only. They are generic in nature and not tailored or intended to be relied upon by any person, business, entity or other party for purposes for determining the legal, financial or other appropriateness, defensibility, suitability, outcome or consequences of any strategy, action, course of action, or any other facts, circumstances, event or conduct. Users of these resources are responsible at all times for independently evluating the suitability of any content, materials, tools or other materials or information accessed from or through Solutions Law Press, Inc. directly or indirectly.
Solutions Law Press, Inc.™ and its authors and contributors do not represent or warrant in any form or manner, and expressly disclaim and deny the appropriateness of the use or reliance of any person or entity on any content, tools or resources accessed or obtained from or through Solutions Law Press, Inc.™ for any general or particular use or purpose by any party under any circumstances.
Likewise, they do not establish an attorney-client relationship or other fiduciary, contractual or other relationship between Solutions Law Press, Inc. and/or any of its authors or contributors and any other party. They are not, and do not serve as a substitute for legal, accounting, tax or other advice. They don’t create or otherwise give rise to any duty, obligation, responsibility on behalf of Solutions Law Press, Inc™ or any provider or offeree of content, tools or services to any party.
Parties accessing or using any of Solutions Law Press, Inc.™ competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The publisher and the author expressly disclaim all liability for this content and any responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Employers and employee benefit plan fiduciaries and administrators should consider sharing the free IRS Withholding Calculator resource offered in English, Spanish, and ASL formats with workers in annual employee benefit enrollment packages, new hire paperwork, bonus announcement and other wage related materials and other employee communications to help workers better understand and manage the tax and other effects of their annual employee benefit elections on their take-home pay. Including reminders to re-evaluate withholding and if necessary, change their W-4 withholding elections also helps employees and their families ensure that withholding elections that workers complete as part of new hire documentation are updated in response to changing taxable income and other relevant events.
Communicating the availability of these free government-resource tools to workers during the annual employee benefit plan enrollment period, year-end, raise or bonus time or other strategic times throughout the year could help employees better appreciate the tax-preferred benefit offerings provided by the employer as well as provide significant financial education benefits many workers need for little or no employer cost.
While enrollment packages typically tout the potential “tax savings” that employees can enjoy from participating in tax-favored, employer-sponsored health, group term life, qualified pension or profit-sharing, and other tax-preferred employee benefit or fringe benefit programs offered by their employers, few employees truly understand how to determine properly their necessary wage withholding on taxable wages, much less the specific effects of their employee benefit elections on their income or employment tax liability or withholding.
A better understanding of the relative tax benefits and savings of enrollment in tax-preferred benefits offered by an employer and their potential implications on the income tax withholding elected by the workers can benefit both employees and their employer. Aside from illustrating in real, meaningful terms specific to the worker the tax benefits of his election of employer-offered, tax preferred benefits, proper tax withholding helps employees avoid unnecessary over withholding that can reduce employees’ take-home pay as well as helps protect employees from unexpectedly higher year-end tax bills that often surprise workers when an employee sets his withholding too low.
While few employers or plans want to incur the potential financial costs or liability of estimating savings for individual workers, sharing information about free government-provided resources like the IRS calculator or using vendor-provided solutions that incorporate tools in employee enrollment and other communications can help employees appreciate the benefits of tax-preferred employee benefits and make more informed choices about their benefits and their withholding.
Educating employees about the availability of these free resources also is a low-cost way of providing valuable information to workers whether or not the employer or plan has a vendor offered solution that includes the same or similar tool. However, educating workers about the availability of the withholding calculator and other tools can be a particularly attractive option for an employer when the employer doesn’t have a vendor-provided option that includes that information or can only access the tool for added charges.
While many vendors offer similar tools and materials sold to employers and employee benefit plans, employers or benefit plan fiduciaries generally must pay fees, share promotional materials or meet at the requirements to deliver those resources as part of a vendor-supplied package. Utilizing these vendor supplied resources without fulfilling these preconditions could expose the employer or plan to potential copyright, trademark or other contractual or intellectual property claims from the vendor. In contrast, IRS withholding calculator and many other government tools can be used or shared freely without these concerns. Moreover, employers and plans are less likely to face challenges for sharing an unfiltered government resource than a similar tool packaged within a vendor communication package promoting other options.
Of course, regardless of whether these or other tools or information are shared as a free-standing tool or as part of a broader communication package, employers, plans and others sharing these government tools and other similar resources generally will want to ensure that the materials are distributed along with and subject to general tax advice and other disclaimers of reliance as well as statements encouraging users to consult with their own qualified tax or other qualified professionals about the users’ specific circumstance.
About The Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for management work, coaching, teachings, and publications.
Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.
Well-known for her extensive work with health, insurance, financial services, technology, energy, manufacturing, retail, hospitality, governmental and other highly regulated employers, her nearly 30 years’ of experience encompasses domestic and international businesses of all types and sizes.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a management consultant, business coach and consultant and policy strategist as well through her leadership participation in professional and civic organizations such her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.
Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.
Want to know more? See here for details about the author of this update, attorney Cynthia Marcotte Stamer, e-mail her here or telephone Ms. Stamer at (469) 767-8872.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
Agents and brokers planning to market health insurance coverage sold through the health care marketplaces established under the Patient Protection and Affordable Care Act (ACA) should register and participate in one of the upcoming “Plan Year 2018 Registration & Training Overview For Agents and Brokers” sessions offered by the Centers for Medicare & Medicaid Services (CMS) to:
Provide Registration and training information for Plan Year (PY) 2018; and
Answer participant questions.
CMS is offering separate training for brokers and agents who previously completed PY 2017 registration and training (Returning Brokers) from the training for agents and brokers who did not complete the PY 2017 registration and training (New Brokers).
New Broker training sessions presently are scheduled on July 20, 2017 and July 26, 2017 from 1:00 p.m.- 2:30 p.m. Eastern Time. Returning Broker training sessions are scheduled for July 21, 2017 and July 27, 2017 from 1:00-2:00 p.m. Eastern Time.
To register or for more information, see the REGTAP website here.
About The Author
Recognized as “Legal Leader™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” and an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble, singled out as among the “Best Lawyers In Dallas” in employee benefits by D Magazine; Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her nearly 30 years’ of work and pragmatic thought leadership, publications and training on health coverage and health care, health plan and employee benefits, workforce and related regulatory and other compliance, performance management, risk management, product and process development, public policy, operations and other concerns.
Throughout her legal and consulting career, Ms. Stamer has drawn recognition for combining extensive knowledge and experience with her talents as an insightful innovator and problem solver when advising, representing and defending employer and other plan sponsors, insurers, fiduciaries, insurers, electronic and other technology, plan administrators and other service providers, governments and others about health coverage, benefit program design, funding, documentation, administration, data security and use, contracting, plan, public and regulatory reforms and enforcement, and other risk management and operations matters as well as for her work and thought leadership on a broad range of other health, employee benefits, human resources and other workforce, insurance, tax, compliance and other matters. Her experience encompasses leading and supporting the development and defense of innovative new programs, practices and solutions; advising and representing clients on routine plan establishment, plan documentation and contract drafting and review, administration, change and other compliance and operations crisis prevention and response, compliance and risk management audits and investigations, enforcement actions and other dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, Federal Trade Commission, Justice, state legislatures, attorneys general, insurance, labor, worker’s compensation, and other agencies and regulators, She also provides strategic and other supports clients in defending litigation as lead strategy counsel, special counsel and as an expert witness.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Past Group Chair, current Defined Contribution Plan Committee Co-Chair, former Welfare Committee Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, former member of the Board of Directors of the Southwest Benefits Association and others.
Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, the Society of Professional Benefits Administrators, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, serves on the faculty and planning committee of many workshops, seminars, and symposia, and on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.
About Solutions Law Press
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.SolutionsLawPress.com.
If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press™ events, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. For important information concerning this communication, see here.
NOTICE: Any party accessing or using any content obtained from or through Solutions Law Press, Inc.™ acknowledges and agrees that any and all programs, publications, statements and materials presented or published by Solutions Law Press, Inc.™ and any statements or other contents made or contained therein are for general informational and educational purposes only. They are generic in nature and not tailored or intended to be relied upon by any person, business, entity or other party for purposes for determining the legal, financial or other appropriateness, defensibility, suitability, outcome or consequences of any strategy, action, course of action, or any other facts, circumstances, event or conduct. Users of these resources are responsible at all times for independently evluating the suitability of any content, materials, tools or other materials or information accessed from or through Solutions Law Press, Inc. directly or indirectly.
Solutions Law Press, Inc.™ and its authors and contributors do not represent or warrant in any form or manner, and expressly disclaim and deny the appropriateness of the use or reliance of any person or entity on any content, tools or resources accessed or obtained from or through Solutions Law Press, Inc.™ for any general or particular use or purpose by any party under any circumstances.
Likewise, they do not establish an attorney-client relationship or other fiduciary, contractual or other relationship between Solutions Law Press, Inc. and/or any of its authors or contributors and any other party. They are not, and do not serve as a substitute for legal, accounting, tax or other advice. They don’t create or otherwise give rise to any duty, obligation, responsibility on behalf of Solutions Law Press, Inc™ or any provider or offeree of content, tools or services to any party.
Parties accessing or using any of Solutions Law Press, Inc.™ competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The publisher and the author expressly disclaim all liability for this content and any responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
While Congress continues to debate the future of the Obamacare health reforms and its exchanges, the Department of Health & Human Services is reminding employers with less than 50 employees that wish to offer group health coverage for their employees to check out their coverage options offered the Small Business Health Options Program (SHOP) Marketplace established as part of the Patient Protection and Affordable Care Act (ACA). Before or when offering health coverage for employees or their dependents, employers and their management should confirm they fully understand and appropriately arrange for fulfillment of all applicable federal, contractual and other requirements to avoid unfortunate and often expensive liabilities.
The SHOP Marketplace is intended to offer an opportunity for for small employers who want to provide health and dental insurance to their employees. Use of the SHOP Marketplace to obtain coverage may be an option for an employer if it is a business or non-profit organization with 50 or fewer full-time equivalent employees (FTEs). An employer that qualifies to get group health coverage through the SHOP doesn’t have to wait for an annual enrollment period; it can start offering SHOP insurance to your employees any time of year by completing the enrollment process by the applicable deadline prior to the first day of the month that the employer wants to start offering coverage through the SHOP.
In addition to the option to buy coverage through the SHOP, employers with 25 or fewer employees also may be eligible to use the Small Employer Health Care Credit created by the ACA to help defray the costs of providing this coverage to their qualifying employees. For instance, Monday, May 15 is the sign up deadline for small employers and nonprofit employees interested in obtaining small group health plan coverage for their employees through the the SHOP Marketplace beginning on June 1. SeeHealthCare.gov/Small-Business to enroll your small business or non-profit employees or get more details.
While many excellent reasons may exist for a business to offer group health coverage for qualifying employees, all employers regardless of size considering offering group health coverage obtained through the SHOP or other sources should keep in mind that employers that establish and maintain group health coverage, the group health plans they establish and the company or persons with discretionary authority or responsibility for the maintenance, management or administration of these programs or their plans are required to comply with a variety of federal tax, labor and other rules.
Businesses and their owners or management leaders making these decisions should confirm that they fully understand these responsibilities and take appropriate steps to ensure their fulfillment before establishing or maintaining a group health plan to avoid exposing their business, its management or owners or others to unexpected and often substantial liabilities that can result from violation of these requirements. While small employers plans sometimes qualify for some relief from a few of these requirements, depending on their size, the majority of these federal rules apply to most if not all group health plans. Furthermore, businesses sponsoring these programs and their leaders involved in deciding whether and what health coverage to offer for employees and their dependents should not presume that their organization, the resulting plan or its fiduciaries will fulfill these requirements simply by purchasing coverage through the SHOP Marketplace, directly from an insurer, or with the assistance of a broker or consultant. Fulfillment of applicable requirements generally requires that sponsoring employers and individuals within the management responsible for or appointed to oversee the program to take other steps. The scope of responsibility and resulting liability to a sponsoring employer and members of its ownership or management also typically are impacted by the plan design and contracts used to establish and maintain the program, its funding, and various other factors. These factors generally include contractual language in insurance, consulting or brokerage, administrative services and other contracts presented by vendors for use in purchasing and maintaining the program that often shift responsibility for many duties an employer otherwise might assume would be born by the vendor. For these and other reasons, most businesses and their leadership will want to consider arranging for their proposed program and its associated contracts and arrangements to be reviewed by legal counsel experienced in group health plan and associated labor, tax and other laws and arrangements.
About The Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for work, teachings and publications.
Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.
Well-known for her extensive work with health, insurance, financial services, technology, energy, manufacturing, retail, hospitality and governmental employers, her nearly 30 years’ of experience encompasses domestic and international businesses of all types and sizes.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and advisor to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group; immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.
Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other regulatory and operational risk management. Examples of her many highly regarded publications on these matters include the “Texas Payday Law” Chapter of Texas Employment Law, as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.
Want to know more? See here for details about the author of this update, attorney Cynthia Marcotte Stamer, e-mail her here or telephone Ms. Stamer at (469) 767-8872.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com
If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
While Congress and the Trump Administration continue to ponder and debate what if anything to do with the health care reforms of the Patient Protection and Affordable Care Act (ACA), employer and other health plan sponsors, health plan insurers, plan fiduciaries and others responsible for health plan design, administration or funding must take steps to verify their past and continuing compliance with the ACA and other federal mandates while laying the groundwork to respond quickly to any eventual reforms.
Regardless of what, if anything, the existing Congress or the Trump Administration does to repeal or reform the ACA or other federal health plan rules, all health plan sponsors, insurers, fiduciaries and administrators should act to mitigate their substantial and ever-growing health plan exposures by arranging for an independent compliance audit of their health plan terms, materials and operations for potential uncorrected past or current violations of the 40 federal mandates covered by the Form 8928 reporting and associated Internal Revenue Code excise tax liability exposure, as well as other applicable plan liabilities under the Employee Retirement Income Security Act (ERISA), the Social Security Act, the Internal Revenue Code and other federal laws within open statute of limitation periods.
The cost, complexity and riskiness of health plan sponsorship and administration has grown exponentially over the past two decades. Thanks to the ACA and the continuous stream of other federal laws and regulations implemented over the past 20 years, sponsoring employers, as well as their health plans and those responsible as fiduciaries for administering, funding and insuring these programs now face huge costs, responsibilities and liabilities. While the ACA substantially expanded the federal health plan mandates and liabilities, the ACA is not the lone cause and its amendment or repeal alone won’t fully resolve these risks prospectively or retrospectively insulate sponsoring employers, their plans or their fiduciaries and insurers from the liabilities and costs of compliance issues occurring before Congress repeals or amends the ACA.
Of particular note for employer and other sponsors of group health plans are the self-reporting and excise tax self-assessment and payment requirements for employers coupled with the companion responsibilities and liabilities fiduciaries, plan administrators and others face under these federal mandates make it important that employers and others sponsoring group health plans and their management or other leaders overseeing or participating in plan design or vendor selection, plan administration or other plan related activities get advice and help from qualified legal counsel experienced in health plan matters:
To conduct an independent compliance review and risk assessment of their health plans,
To recommend and assist in the performance of recommended steps to correct or mitigate risks from any potential past or existing violations or other exposures that have arisen or are likely to arise from existing contractual, plan design or other health plan actions;
To explore the potential advisability of taking additional steps to prevent or mitigate health plan associated compliance or other risks going forward whether or not health reform happens; and
To begin preparing to take advantage of any impending health care reforms by evaluating the requirements and procedures that existing plan terms, contracts, vendors and arrangements are likely to require to implement changes necessary to respond to any reforms as quickly and efficiently as possible.
Spring Clean Your Health Plan House
Since any reforms eventually enacted are unlikely to retroactively eliminate liability of employers, their health plans or fiduciaries for violations of federal health plan mandates, health plan terms, or associated contracts occurring before the effective date of reform, employer and other health plan sponsors, fiduciaries, insurers and administrators should begin by identifying, cleaning up any existing, unresolved, and preventing any new health plan compliance problems.
While overall compliance with applicable federal mandates and health terms generally should be the goal, employers or others sponsoring group health plans need to be particularly concerned with their responsibilities and potential liability under the Internal Revenue Code to self-identify, report and pay stiff excise tax penalties of $100 per day per violation of any of 40 federal health plan mandates imposed by the ACA and various other federal laws when the sponsor files its annual tax return.
Sponsors and plan fiduciaries also need to be concerned about other risks beyond sponsoring employers’ excise tax liability exposures for sponsoring a non-compliant group health plan. Among other things, group health plans and their fiduciaries can face audits, litigation and enforcement actions by the Centers for Medicare & Medicaid Services and other health plans for improperly coordinating plan claims with other coverage as well as lawsuits from covered persons, their health care providers or other beneficiaries, the Department of Labor and CMS, or others seeking to enforce rights to benefits, penalties in the case of CMS or the Department of Labor, and attorneys’ fees and other costs of enforcement. Beyond benefit litigation, the employer or representatives of the sponsoring employer, if any, named or acting as fiduciaries, insurer or third-party service providers named or acting as fiduciaries, also could face fiduciary lawsuits seeking damages, equitable relief, and attorneys’ fees and costs of court, for failing to prudently administer the plan in accordance with its terms and the law brought by covered persons or their beneficiaries or the DOL as well as fiduciary breach penalties if the fiduciary breach action is brought by the DOL. If the plan fails to comply with claims and appeals procedures or other ERISA notification requirements, parties named or functioning as the plan administrator for this purpose also could face penalties of up to $125 per violation per day in the case of enforcement actions brought by participants and beneficiaries or $1025 per violation per day in the case of actions brought by the DOL, plus attorneys’ fees and other costs of enforcement. Unless the employer previously took steps to draft its health plan documents and negotiate its vendor contracts to provide otherwise, most vendor provided plans typically assign these liabilities to the sponsoring employer or a member of its management by naming that employer or the management person the “plan administrator” and/or “named fiduciary” responsible for those activities and liabilities, requiring the plan sponsor to indemnify the vendor for costs and liabilities arising from the performance of actions under the plan even when those actions don’t comply with ERISA fiduciary or other legal standards applicable to the performance of those duties under the plan, or both, and other contractual or plan provisions that shift liabilities and costs to the plan sponsor.
To mitigate their exposure to these liabilities and costs, employer or other health plan sponsors should consider arranging for an independent legal compliance and risk assessment of their health plan, its terms, materials and operations to help mitigate the sponsoring employer’s exposure to self-identify, self-report on IRS Form 2848 and pay the $100 per day per violation excise tax liability now generally required under the Internal Revenue Code for any such violation.
Beyond mitigating a plan sponsor’s Form 8928 reporting and associated excise tax exposures, an independent compliance audit also can mitigate other risks and exposures for the sponsoring employer, the plan and its fiduciaries, the cost of which the sponsoring employer often bears financial responsibility for funding pursuant to the contractual indemnification and funding obligations entered into in connection with the establishment and maintenance of the plan, the fiduciary role, if any, of the employer with respect to the plan, or both. Accordingly, a timely and appropriate review is likely to help mitigate other risks and liabilities such as:
Fiduciary liability that can arising from failing to administer the plan in accordance with these and other federal health plan mandates under ERISA;
Unanticipated benefit costs and liabilities, which for self-insured plans are likely to be particularly burdensome if compliance issues are not identified and corrected before applicable deadlines to pay and submit claims to the stop-loss or other insurer expire (usually at or shortly after the close of a plan year or if earlier, contract termination);
Benefit costs and penalties for wrongful coordination of benefits with Medicare, Medicaid, DOD and certain other plans or coverage in violation of Secondary Payer and other mandates; and
Costs of defending and settling audits, litigation and other government or participant enforcement actions.
Since prompt self-audit and correction can help mitigate all of these liabilities, business leaders of employers sponsoring health plans should act promptly to engage experienced legal counsel experienced with health plan laws and operations to advise the plan sponsor about how to audit their group health plan’s plan documents, materials and operations for compliance with these and other federal health plan rules within the scope of attorney-client privilege while managing tax, financial, benefit and fiduciary liability exposures to deal with potential compliance concerns that the review might discover as well as mitigate risks that could result if the audit is improperly structured or conducted.
Prepare To Respond To Potential Health Reform & Other Health Plan Improvement
Beyond identifying and addressing existing compliance concerns and other risks associated with prior or existing plan design or administration, most employer and other sponsors also will want to review the health plan document and materials and associated insurance, third-party administration and other health plan vendor contracts pursuant to which the health plan is established, maintained and administered to identify requirements and opportunities to respond quickly to make changes when and if health care reform happens as well as for other opportunities to mitigate existing risks and costs.
As most commentators expect some type of regulatory or statutory health plan relief to result from the current health care reform debates in Congress, employer and other health plan sponsors desiring to accelerate their ability to take advantage of any forthcoming relief should familiarize themselves with the procedures required under existing plan terms, contracts and rules to modify their programs in response to these changes. Almost certainly, plan sponsors should anticipate needing to adopt some amendments to plan documents, summary plan descriptions and other materials to take advantage of any legislative or statutory relief. Plan sponsors also need to keep in mind that their vendor contracts with administrators, group, stop-loss or captive insurers, and other vendors likely also will require the plan sponsor to notify and negotiate with its vendors to secure their agreement before adopting these changes to avoid violating those vendor agreements and prudently to arrange for appropriate implementation and administration of the modified plan design and terms. Identification of the contractual and plan requirements and commencement of discussions with the relevant vendors can help expedite the planning and implementation of any desired plan modifications the plan sponsor elects to make in response to any statutory or regulatory reforms.
While preparing for anticipated health care reforms, most plan sponsors also will want to review their plans and vendor contracts for other potential opportunities to mitigate risks or expenses. With respect to existing and future liability mitigation, each plan sponsor generally should carefully assess the allocation of fiduciary responsibility and liability between the sponsoring employer, members of its management or other workforce team, and vendors to identify potential areas where the contract may assign named or other plan administrator or other fiduciary status and liability to the plan sponsor or a member of its workforce for duties outsourced to a vendor. Sponsoring employers or their management may want to initiate negotiations with the vendor to reallocate the fiduciary role and responsibility to the party responsible for performance of the specific duties, enhancement of performance guarantees, indemnifications and insurance coverage for proper performance of the outsourced duties by the vendor in accordance with the plan terms, including any mandates imposed by the ACA and other federal laws in form and operation, and other safeguards or, if the vendor is unwilling to consider these changes, begin searching for a replacement vendor willing to provide better accountability for its actions with respect to the services it is hired to perform.
Except in rare circumstances where the sponsoring employer has carefully contracted to transfer fiduciary liability to its insurer or administrator and otherwise does not exercise or have a fiduciary obligation to exercise discretion or control over these responsibilities, employers sponsoring group health plans that violate federal mandates like the out-of-pocket limit often ultimately bear some or all of these liabilities even if the violation actually was committed by a plan vendor hired to administer the program either because the plan documents name the employer as the “named fiduciary” or “plan administrator” under ERISA, the employer or a member of its management named in the plan generally bears fiduciary responsibility functionally for selection or oversight of the culpable party, the employer signed a contract, resolution or plan document obligating the employer to indemnify the service provider for the liability, or a combination of these reasons.
Since prompt self-audit and correction can help mitigate all of these liabilities as well as help to preserve access to stop-loss or other reinsurance coverage, if any, applicable to help pay for some or all of any additional benefit liabilities resulting from these benefit mandates, business leaders of companies offering group health plan coverage should act quickly to engage experienced legal counsel for their companies for advice about how to audit their group health plan’s compliance with these and other federal health plan rules within the scope of attorney-client privilege while managing tax, financial, benefit and fiduciary liability exposures to deal with potential compliance concerns that the review might discover as well as mitigate risks that could result if the audit is improperly structured or conducted.
While businesses inevitably will need to involve or coordinate with their accounting, broker, and other vendors involved with the plans, businesses generally will want to get legal advice in a manner that preserves their potential to claim attorney-client privilege to protect against discovery in the event of future enforcement or litigation actions sensitive discussions and analysis about compliance audits, plan design choices, and other risk management and liability planning as well as to get help identifying potential plan design, contracting, procedural or other changes that may be needed to fix compliance deficiencies and mitigate other risks, particularly in light of complexity of the exposures and risks.
About The Author
Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 29 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.
Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health and othre employee benefit, financial services, health care and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk.
Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.
Throughout her career, she has helped a diverse array of clients manage, administer and defend employee and other workforce, vendors and suppliers, their recruitment, selection, performance management, contracting, investigation, discipline and termination; health and other employee benefits; compensation; safety; governance; compliance and internal controls; strategic planning, process and quality improvement; change management; trade secret and other privacy, data security and data breach;; crisis preparedness and response; internal, government and third-party reporting relations, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.
The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has worked extensively throughout her career with employers, health and other employee benefit plans, insurers, managed care organizations, health care clearinghouses, health care providers, their business associates, employers, banks and other financial institutions, management services organizations, professional and trade associations, accreditation agencies, auditors, technology and other vendors and service providers, and others on benefit and insurance program legal and operational compliance, risk management, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending plan sponsors, fiduciaries, service providers, managed care organizations, insurers, self-insured health plans and other payers. Her experience includes both leading edge work designing and administering programs, as well as defending clients in connection with audits and enforcement actions by OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC, OSHA, Department of Insurance, Department of Justice and state attorneys’ general and other federal and state agencies; accreditation and quality organizations; private litigation and other federal and state health care industry investigation, enforcement including insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.
Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.
Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns. Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.
A lead policy advisor to the Government of Bolivia on its pension privitization project and involved in U.S. federal and state as well as cross border workforce, pension, health care, Social Security, immigration, and tax regulatory and statutory reform throughout her adult life, Ms. Stamer also is widely sought out for her thoughtleadership and assistance with domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.
A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.
Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.
For more information about Ms. Stamer or her experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.
Health plans, their fiduciaries and sponsors, health insurers, health care providers, health care clearinghouses (“covered entities”) and their business associates must get and keep your business associate (BA) agreements (BAAs) in place, up-to-date, and readily available for inspection in accordance with the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule, 45 C.F.R. Part 160 and Subparts A and E of Part 164 (Privacy Rule). That’s the clear message to covered entities and their business associates in the April 17, 2017 HIPAA Resolution Agreement just announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) with the Center for Children’s Digestive Health (CCDH).
While the Resolution Agreement relates to breaches of the BAA requirements of a small pediatric practice, all health plans, health care providers and other covered entities and business associates should focus on the adequacy of their BAAs and their BAA record keeping. HIPAA compliance surveys reflect deficiencies with the BAA rules are common throughout the industry. These findings and the involvement of BAs in data breaches or other OCR enforcement activities suggest a high probability that many other covered entities and business associates may be sitting ducks for similar sanctions. See e.g., HIPAA Compliance Survey Churns Up Many Business Associate Problems (January 3, 2017). Consequently, all covered entities and business associates generally should treat the CCDH Resolution Agreement as a message to review and correct as necessary their organizations’ compliance and recordkeeping to minimize their exposure to potential sanctions from violations of the HIPAA business associate rules.
The HIPAA Business Associate Agreement Requirements
OCR’s announcement of the CCDH Resolution Agreement is the latest in a growing series of HIPAA enforcement actions showing the growing risk covered entities and their business associates face for failing to take appropriate steps to comply with the BAA and other Privacy Rule requirements of HIPAA.
As compliance audits and surveys of covered entities and business associates suggest a high level of noncompliance with the business associate agreement requirements among covered entities and business associates, While the ever-growing list of Resolution Agreements and Civil Monetary Penalties announced by OCR cover a variety of categories of HIPAA violations, the CCDH Resolution Agreement highlights the importance of covered entities and their business associates ensuring that before the BA creates, accesses, receives, discloses, retains or destroys any PHI for the covered entity, a BAA meeting the Privacy Rule requirements is signed and retained for at least the six-year period the Privacy Rule requires in a manner easily producible when and if OCR or another agency asks for a copy as part of an investigation or other compliance audit. See Privacy Rule §§ 164.502(e), 164.504(e), 164.532(d) and (e).
The Privacy Rule requires that covered entities and business associates enter into a written and signed business associate agreement that contains the elements specified in Privacy Rule § 164.504(e) before the business associate creates, uses, accesses or discloses PHI of the covered entity. Meanwhile, the Privacy Rule recordkeeping requirements require that covered entities and BAs maintain copies of these BAAs for a minimum of six years.
Violations of the Privacy Rule can carry stiff civil or even criminal penalties Pursuant to amendments to HIPAA enacted as part of the HITECH Act, civil penalties typically do not apply to violations punished under the criminal penalty rules of HIPAA set forth in Social Security Act , 42 U.S.C § 1320d-6 (Section 1177).
Under Section 1177, the criminal enforcement provisions of HIPAA authorize the Justice Department to prosecute a person who knowingly in violation of the Privacy Rule (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, punishable by the following criminal sanctions and penalties:
A fine of up to $50,000, imprisoned not more than 1 year, or both;
If the offense is committed under false pretenses, a fine of up to $100,000, imprisonment of not more than 5 years, or both; and
If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of up to $250,000, imprisoned not more than 10 years, or both.
In contrast, as amended by the HITECH Act, the civil enforcement provisions of HIPAA empower OCR to impose Civil Monetary Penalties on both covered entities and BAs for violations of any of the requirements of the Privacy or Security Rules. The penalty ranges for civil violations depends upon the circumstances associated with the violations and are subject to upward adjustment for inflation. As most recently adjusted here effective September 6, 2016, the following currently are the progressively increasing Civil Monetary Penalty tiers:
A minimum penalty of $100 and a maximum penalty of $50,000 per violation, for violations which the CE or BA “did not know, and by exercising reasonable diligence would not have known” about using “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances;”
A minimum penalty of $1,000 and a maximum penalty of $50,000 per violation, for violations for “reasonable cause” which do not rise to the level of “willful neglect” where “reasonable cause” means the “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the violated Privacy Rule requirement;”
A minimum penalty of $10,000 and a maximum penalty of $50,000 per violation, for violations attributed to “willful neglect,” defined as “the conscious, intentional failure or reckless indifference to the obligation to comply” with the requirement or prohibition; and
A minimum penalty of $50,000 and a maximum penalty of $1.5 million per violation, for violations attributed to “willful neglect” not remedied within 30 days of the date that the covered entity or BA knew or should have known of the violation.
For continuing violations such as failing to implement a required BAA, OCR can treat each day of noncompliance as a separate violation. However, sanctions under each of these tiers generally are subject to a maximum penalty of $1,500,000 for violations of identical requirements or prohibitions during a calendar year. For violations such as the failure to implement and maintain a required BAA where more than one covered entity bears responsibility for the violation, OCR an impose Civil Monetary Penalties against each culpable party. OCR considers a variety of mitigating and aggravating facts and circumstances when arriving at the amount of the penalty within each of these applicable tiers to impose.
CCDH Sanctions For Violation Of HIPAA Business Associate Agreement Rules
The CCDH Resolution Agreement arises from violations of this requirement that OCR says it discovered as a result of a compliance review conducted in response to an OCR investigation of a CCDH business associate, FileFax, Inc. According to OCR, OCR found from the compliance review of CCDH triggered by OCR’s investigation of FileFax that while CCDH began disclosing PHI to Filefax in 2003 and that Filefax stored records containing protected health information (PHI) for CCDH, neither CCDH nor Filefax could produce a signed Business Associate Agreement (BAA) covering their relationship for any period before October 12, 2015.
Based on the resulting investigation, OCR concluded:
CCDH failed to obtain a BAA providing written assurances from Filefax that it would appropriately safeguard the PHI in Filefax’s possession or control satisfactory assurances as required by Privacy Rule §164.502(e); and
Because CCDH failed to secure the required BAA, it violated the Privacy Rule by impermissibly disclosing the PHI of at least 10,728 individuals to Filefax when CCDH transferred the PHI to Filefax without obtaining the requisite BAA from Filefax (Covered Conduct).
In the Resolution Agreement, CCDH agrees to pay HHS $31,000.00 (Resolution Amount) and enter into and comply with a Corrective Action Plan (CAP) in return for OCR’s release of CCDH from liability for “any actions it may have against CCDH under the HIPAA Rules” for the Covered Conduct. The Resolution Agreement only settles the civil monetary penalty and other OCR enforcement liabilities of CCDH with respect to the Covered Conduct. Its provisions expressly state the Resolution Agreement does not affect any exposures of CCDH to CCDH to OCR civil monetary penalties or other enforcement for any HIPAA violations other than the Covered Conduct.
Perhaps even more noteworthy given the HITECH Act’s provisions coordinating the civil and criminal sanctions of HIPAA, while the Resolution Agreement provides no clear indication that the Justice Department might be considering criminally prosecuting CCDH or any other party in relation to the Covered Conduct, the Resolution Agreement also expressly states that its provisions do not affect CCDH’s potential exposure, if any, to criminal prosecution by the Justice Department for a criminal violation of the Privacy Rules under Section 1177 of the Social Security Act.
Implications For Covered Entities & Business Associates
Covered entities and their business associates should heed the CCDH Resolution Agreement as a strong message from OCR to ensure their organizations are complying with HIPAA’s BAA and other requirements. The Resolution Agreement makes clear that the starting point of this compliance effort must be obtaining and maintaining the requisite BAAs for each BA relationship.
To position their organizations to withstand potential investigation by OCR, covered entities and BAs should start by conducting a well-documented audit within the scope of attorney-client privilege both to verify that an appropriate, signed BAA is in place for each BA relationship as well as adequacy of processes for identifying business associate relationships, ensuring that signed BAAs are in effect before BAs access any PHI, and for investigating, reporting and resolving any breaches of the HIPAA Privacy or Security Rules that may arise in the course of operations.
Conducting this audit as soon as possible is particularly important in light of reported findings of widespread compliance concerns. See HIPAA Compliance Survey Churns Up Many Business Associate Problems (January 3, 2017). As the audit process could identify potential violations or other legally sensitive concerns, covered entities and business associates generally will want to arrange for this audit and evaluation to be conducted under the supervision of legal counsel experienced with HIPAA within or pursuant to processes structured with the assistance of legal counsel within the scope of attorney-client privilege.
Beyond confirming all necessary BAAs are in place, covered entities and business associates also generally will want to evaluate the adequacy of BAs’ processes and procedures for maintaining compliance with the Privacy and Security Rules as well as processes and procedures for responding to audits, investigations and complaints, reporting and addressing breaches of electronic and other PHI and other possible compliance concerns under HIPAA and other related laws. In many instances, parties may n wish to revise and strengthen existing BAAs to more specifically define these policies and procedures more specifically as well as indemnification, cyber or other liability coverage requirements and other contractual provisions for allocating potential costs and liabilities arising from breaches, audits, investigations and other expenses associated with the administration of these provisions.
About The Author
Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 29 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.
Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.
As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to manage and defend compliance, public policy, regulatory, staffing and other operations and risk management concerns. A core focus of this work includes work to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; dealings with JCHO and other accreditation and quality organizations; investigation and defense of private litigation and other federal and state health care industry investigations and enforcement; insurance or other liability management and allocation; process and product development; managed care, physician and other staffing, business associate and other contracting; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.
In the course of this work, Ms. Stamer has accumulated extensive experience helping health industry clients manage workforce, medical staff, vendors and suppliers, medical billing, reimbursement, claims and other provider-payer relations, business partners, and their recruitment, performance, discipline, compliance, safety, compensation, benefits, and training, board, medical staff and other governance; compliance and internal controls; strategic planning, process and quality improvement; change management; assess, deter, investigate and address staffing, quality, compliance and other performance; meaningful use, EMR, HIPAA and other data security and breach and other health IT and data; crisis preparedness and response; internal, government and third-party reporting, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.
Author of leading works on HIPAA and other privacy and data security works and the scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with OCR, her experience includes extensive compliance, risk management and data breach and other crisis event investigation, response and remediation under HIPAA and other laws.
The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has worked closely with a diverse range of physicians, hospitals and healthcare systems, DME, Pharma, clinics, health care providers, managed care, insurance and other health care payers, quality assurance, credentialing, technical, research, public and private social and community organizations, and other health industry organizations and their management deal with governance; credentialing, patient relations and care; staffing, peer review, human resources and workforce performance management; outsourcing; internal controls and regulatory compliance; billing and reimbursement; physician, employment, vendor, managed care, government and other contracting; business transactions; grants; tax-exemption and not-for-profit; licensure and accreditation; vendor selection and management; privacy and data security; training; risk and change management; regulatory affairs and public policy and other concerns.
Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar, insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.
Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns.
In connection with this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.
Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.
In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.
A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.
A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.
Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.
For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.
A new Department of Health and Human Services Office of Civil Rights (OCR) CardioNet Resolution Agreement and Corrective Action Plan (Resolution Agreement) settling OCR charges of violations of the Privacy and Security Rules of the Health Insurance Portability & Accountability Act against remote cardiac monitoring provider CardioNet provides important lessons for all health plans, health insurers, telemedicine and other healthcare providers, healthcare clearinghouses (Covered Entities) and their business associates about steps to take to reduce their risk of getting hit with big OCR penalty like the $2.5 million settlement payment CardioNet must pay under the Resolution Agreement.
OCR announced the first OCR HIPAA settlement involving a wireless health services provider Monday, April 24. Under the Resolution Agreement, CardioNet agrees to pay OCR $2.5 million and to implement a corrective action plan to settle potential OCR charges it violated the HIPAA Privacy and Security Rules based on the impermissible disclosure of unsecured electronic protected health information (ePHI).
CardioNet Charges & Settlement
As has become increasingly common in recent years, the CardioNet settlement arose from concerns initially brought to OCR’s attention in connection with a HIPAA breach notification report. On January 10, 2012, OCR received notification from the provider of remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias that a workforce member’s laptop with the ePHI of 1,391 individuals was stolen from a parked vehicle outside of the employee’s home. CardioNet subsequently notified OCR of a second breach of ePHI 2,219 individuals, respectively.
Likewise, the HIPAA breaches uncovered by OCR in the course of investigating these CardioNet breaches occur in the operations of many other covered entities. According to the OCR’s investigation in response to these breach reports revealed a series of continuing compliance concerns, including:
CardioNet failed to conduct an accurate and thorough risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI and failed to plan for and implement security measures sufficient to reduce those risks and vulnerabilities;
CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented;
CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices;
CardioNet failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of its facilities, the encryption of such media, and the movement of these items within its facilities until March 2015; and
CardioNet failed to safeguard against the impermissible disclosure of protected health information by its employees, thereby permitting access to that information by an unauthorized individual, and failed to take sufficient steps to immediately correct the disclosure.
To resolve these OCR charges, CardioNet agrees in the Resolution Agreement to pay $2.5 million to OCR and implement a corrective action plan. Among other things, the corrective action plan requires CardioNet to complete the following actions to the satisfaction of OCR:
Prepare a current, comprehensive and thorough Risk Analysis of security risks and vulnerabilities that incorporates its current facility or facilities and the electronic equipment, data systems, and applications controlled, currently administered or owned by CardioNet, that contain, store, transmit, or receive electronic protected health information (“ePHI”) and update that Risk Analysis annually or more frequently, if appropriate in response to environmental or operational changes affecting the security of ePHI.
Assess whether its existing security measures are sufficient to protect its ePHI and revise its Risk Management Plan, Policies and Procedures, and training materials and implement additional security measures, as needed.
Develop and implement an organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis as required by the Risk Management Plan.
Review and, to the extent necessary, revise, its current Security Rule Policies and Procedures (“Policies and Procedures”) based on the findings of the Risk Analysis and the implementation of the Risk Management Plan to comply with the HIPAA Security Rule.
Provide certification to OCR that all laptops, flashdrives, SD cards, and other portable media devices are encrypted, together with a description of the encryption methods used (“Certification”).
Review, revise its HIPAA Security training to include a focus on security, encryption, and handling of mobile devices and out-of-office transmissions and other policies and practices require to address the issues identified in the Risk Assessment and otherwise comply with the Risk Management Plan and HIPAA train its workforce on these policies and practices.
Investigate all potential violations of its HIPAA policies and procedures and notify OCR in writing within 30 days of any violation.
Submit annual reports to OCR, which must be signed by an owner or officer of CardioNet attesting that he or she has reviewed the annual report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
Maintain for inspection and copying, and provide to OCR, upon request, all documents and records relating to compliance with the corrective action plan for six years.
Implications For Covered Entities & Business Associates
The latest in a rapidly-growing list of high dollar HIPAA enforcement actions by OCR, the CardioNet Resolution Agreement contains numerous lessons for other Covered entities and their business associates about the importance of appropriate HIPAA privacy and security compliance, including but not limited to the following:
Like many previous resolution agreements announced by OCR, the Resolution Agreement reiterates the responsibility of covered entities and business associates to properly secure their ePHI and that as part of this process, OCR expects all laptop computers and other mobile devices containing or with access to ePHI be properly encrypted and secured.
It also reminds covered entities and their business associates to be prepared for, and expect an audit from OCR when OCR receives a report that their organization experienced a large breach of unsecured ePHI.
The Resolution Agreement’s highlighting of the draft status of CardioNet’s privacy and security policies also reflects OCR expects covered entities to actually final policies, procedures and training in place for maintaining compliance with HIPAA.
The discussion and requirements in the Corrective Action Plan relating to requirements to conduct comprehensive risk assessments at least annually and in response to other events, and to update policies and procedures in response to findings of these risk assessments also drives home the importance of conducting timely, documented risk analyses of the security of their ePHI, taking prompt action to address known risks and periodically updating the risk assessment and the associated privacy and security policies and procedures in response to the findings of the risk assessment and other changing events.
The requirement in the Resolution Agreement of leadership attestation and certification on the required annual report reflects OCR’s expectation that leadership within covered entities and business associates will make HIPAA compliance a priority and will take appropriate action to oversee compliance.
Finally, the $2.5 million settlement payment required by the Resolution Agreement and its implementation against CardioNet makes clear that OCR remains serious about HIPAA enforcement.
Of course, covered entities and business associates need to keep in mind that acts, omissions and events that create HIPAA liability risks also carry many other potential legal and business risks. For instance, since PHI records and data involved in such breaches usually incorporates Social Security Numbers, credit card or other debt or payment records or other personal consumer information, and other legally sensitive data, covered entities and business associates generally also may face investigation, notification and other responsibilities and liabilities under confidentiality, privacy or data security rules of the Fair and Accurate Credit Transaction Act (FACTA), the Internal Revenue Code, the Social Security Act, state identity theft, data security, medical confidentiality, privacy and ethics, insurance, consumer privacy, common law or other state privacy claims and a host of other federal or state laws. Depending on the nature of the covered entity or its business associates, the breach or other privacy event also may trigger fiduciary liability exposures for health plan fiduciaries in the case of a health plan, professional ethics or licensing investigations or actions against health care providers, insurance companies, administrative service providers or brokers, shareholder or other investor actions, employment or vendor termination or disputes and a host of other indirect legal consequences.
Beyond, and regardless of if, a covered entity or business ultimately succeeds in defending its actions against a charge of violating any of these or other standards, however, covered entities, business associates and their leaders should keep in mind that the most material and often most intractable consequences of a HIPAA or other data or other privacy breach report or public accusation, investigation, admission also typically are the most inevitable:
The intangible, but critical loss of trust and reputation covered entities and business associates inevitably incur among their patients, participants, business partners, investors and the community; and
The substantial financial expenses and administrative and operational disruptions of investigating, defending the actions of the organization and implementation of post-event corrective actions following a data or other privacy breach, audit, investigation, or charge.
In light of these risks, covered entities business associates and their management should use the experiences of CardioNet and other covered entities or business associates caught violating HIPAA or other privacy and security standards to reduce their HIPAA and other privacy and data security exposures. Management of covered entities and their business associates should take steps to ensure that their organizations policies, practices and procedures currently are up-to-date, appropriately administered and monitored, and properly documented. Management should ensure that their organizations carefully evaluate and strengthen as necessary their current HIPAA risk assessments, policies, practices, record keeping and retention and training in light of these and other reports as they are announced in a well-documented manner. The focus of these activities should be both to maintain compliance and position their organizations efficiently and effectively to respond to and defend their actions against a data breach, investigation, audit or accusation of a HIPAA or other privacy or security rule violation with a minimum of liability, cost and reputational and operational damages.
As the conduct of these activities generally will involve the collection and analysis of legally sensitive matters, most covered entities and business associates will want to involve legal counsel experienced with these matters and utilize appropriate procedures to be able to use and assert attorney-client privilege and other evidentiary privileges to mitigate risks associated with these processes. To help plan for and mitigate foreseeable expenses of investigating, responding to or mitigating a known, suspected or asserted breech or other privacy event, most covered entities and business associates also will want to consider the advisability of tightening privacy and data security standards, notification, cooperation and indemnification protections in contracts between covered entities and business associates, acquiring or expanding data breach or other liability coverage, or other options for mitigating the financial costs of responding to a breach notification, investigation or enforcement action.
About The Author
Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 29 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.
Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.
As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to manage and defend compliance, public policy, regulatory, staffing and other operations and risk management concerns. A core focus of this work includes work to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; dealings with JCHO and other accreditation and quality organizations; investigation and defense of private litigation and other federal and state health care industry investigations and enforcement; insurance or other liability management and allocation; process and product development; managed care, physician and other staffing, business associate and other contracting; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.
In the course of this work, Ms. Stamer has accumulated extensive experience helping health industry clients manage workforce, medical staff, vendors and suppliers, medical billing, reimbursement, claims and other provider-payer relations, business partners, and their recruitment, performance, discipline, compliance, safety, compensation, benefits, and training, board, medical staff and other governance; compliance and internal controls; strategic planning, process and quality improvement; change management; assess, deter, investigate and address staffing, quality, compliance and other performance; meaningful use, EMR, HIPAA and other data security and breach and other health IT and data; crisis preparedness and response; internal, government and third-party reporting, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.
Author of leading works on HIPAA and other privacy and data security works and the scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with OCR, her experience includes extensive compliance, risk management and data breach and other crisis event investigation, response and remediation under HIPAA and other data security, privacy and breach laws. Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns.
In connection with this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.
Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.
In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.
A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.
The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has worked closely with a diverse range of physicians, hospitals and healthcare systems, DME, Pharma, clinics, health care providers, managed care, insurance and other health care payers, quality assurance, credentialing, technical, research, public and private social and community organizations, and other health industry organizations and their management deal with governance; credentialing, patient relations and care; staffing, peer review, human resources and workforce performance management; outsourcing; internal controls and regulatory compliance; billing and reimbursement; physician, employment, vendor, managed care, government and other contracting; business transactions; grants; tax-exemption and not-for-profit; licensure and accreditation; vendor selection and management; privacy and data security; training; risk and change management; regulatory affairs and public policy and other concerns.
Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other “nonpar,” insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.
A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, privacy and data security, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; an ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.
Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.
For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources here.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
Employer and other health plan sponsors, fiduciaries and insurers generally should be prepared to prove that they are maintaining and administering their health plans to comply with many Patient Protection and Affordable Care Act (ACA) mandates pending Congressional repeal or reform of the ACA, despite President Trump’s January 20, 2017 Executive Order on “Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal” (Executive Order) because the Federal agencies responsible for the implementation and interpretation of the ACA generally don’t have authority to bar health plan participants and beneficiaries from bringing benefit denial or breach of fiduciary duty lawsuits against health plans or fiduciaries for violating ACA mandates incorporated into the Employee Retirement Income Security Act (ERISA).
In addition to affirming President Trump’s commitment to seek the prompt repeal of the ACA, the Executive Order seeks to mitigate the burden of the ACA pending Congressional repeal by ordering the Departments Health and Human Services (HHS), Labor (DOL), Treasury (Treasury) and other agencies with ACA authority (Agencies) to exercise all available authority and discretion to the “maximum extent permitted by law:”
To waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the ACA that would impose a “cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications.”
To provide greater flexibility to States and cooperate with them in implementing healthcare programs and to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the Act that would impose a fiscal burden on any State;
For departments and agencies with responsibilities relating to healthcare or health insurance to encourage the development of a free and open market in interstate commerce for the offering of healthcare services and health insurance, with the goal of achieving and preserving maximum options for patients and consumers.
While applicable Agencies are expected to act as quickly as possible to comply with President Trump’s orders, various statutory and procedural requirements almost certainly will limit both the relief granted and the speed with which the Agencies can grant the relief. One obvious place where statutory limitations on Agencies authority almost certainly will impact the availability of relief arises from the ACA’s incorporation of many of its patient protection act group mandates into ERISA. While the Agencies may possess the authority to lessen the burden of compliance with the regulatory mandates of the ACA by revising regulations, issuing enforcement relief or other certain other actions, these powers do not extend to blocking the authority of participants and beneficiaries to bring suit to enforce the provision of the ACA that the ACA added to ERISA through private benefit denial or breach of fiduciary duty lawsuits brought under ERISA.
In the case of insured health plans, sponsors, insurers and administrators also will need to consider whether their ability to take advantage of the federal relieve available is blocked or restricted by state insurance statutes, regulations or other administrative requirements. The likelihood of state statutory or regulatory restrictions on insured arrangements is particularly likely because of the heavy regulation of these products by states including the widespread incorporation of ACA mandates into state insurance laws and regulations in response to the Market Reform provisions of the ACA.
Even if these federal requirements are met to qualify for, adopt and implement any federally issued regulatory relief, employer and other plan sponsors, insurers, fiduciaries and administrators also should plan for and be prepared to run the necessary traps to properly amend their plan document, summary plan description and other plan notifications, administrative services agreements, stop loss or other insurance contracts and other vendor agreements to implement their desired changes. Beyond knowing what has to be done to adopt and communicate the desired changes, employer and other sponsors and fiduciaries, their consultants, brokers and advisors need to consider the requirements and consequences that the planned changes might have under applicable plan documents and vendor agreements to avoid unanticipated costs or liabilities as well as what actions are needed to ensure that ERISA’s prudence and other fiduciary requirements are met.
Until these and other required actions are completed by the Agencies and the applicable plan sponsors, fiduciaries and other parties, employers and other plan sponsors, their management, their health plans, health plan fiduciaries, administrators and insurers remain legally obligated to continue to comply with the ACA as presently implemented under the existing regulations and judicial and administrative rulings.
Responsible parties should begin preparing to take advantage of the anticipated legislative and regulatory relief both by both carefully monitoring statutory and regulatory health plan developments and positioning themselves to act quickly when relief comes by evaluating their existing heath plan documents, contracts, communications and systems to verify existing compliance and determine requirements for implementing any planned changes, opening up discussion vendors about these possibilities and taking other steps to position themselves to act knowledgeably and efficiently to take advantage of new opportunities if and when they emerge and are warranted.
About The Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely known for work, teachings and publications.
Ms. Stamer works with health industry and other businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and advisor to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group; immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.
Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment, employee benefits, compensation, and other regulatory and operational risk management. Examples of her many highly regarded publications on these matters include the “Texas Payday Law” Chapter of Texas Employment Law, as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein
Trump Executive Order Promises But Gives No ACA Health Plan Relief Until Agencies Act
Employer and other health plan sponsors, insurers, plan members and their family, health care providers and others struggling to cope with the costs and burdens of complying with the Patient Protection and Affordable Care Act (ACA) health care reforms are celebrating the promise of impending relief from ACA mandates held out by newly inagurated President Donald Trump January 20, 2017 Executive Order on “Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal” (Executive Order).
In addition to affirming President Trump’s commitment to seek the prompt repeal of the ACA, the Executive Order seeks to mitigate the burden of the ACA pending Congressional repeal by ordering the Departments Health and Human Services (HHS), Labor (DOL), Treasury (Treasury) and other agencies with ACA authority (Agencies) to exercise all available authority and discretion to the “maximum extent permitted by law”:
To waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the ACA that would impose a “cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications.”
To provide greater flexibility to States and cooperate with them in implementing healthcare programs and to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the Act that would impose a fiscal burden on any State;
For departments and agencies with responsibilities relating to healthcare or health insurance to encourage the development of a free and open market in interstate commerce for the offering of healthcare services and health insurance, with the goal of achieving and preserving maximum options for patients and consumers.
While employer and other health plan sponsors and others struggling to cope with the costs and mandates of ACA unquestionably welcome the promise of relief offered by the Executive Order, it is critical that those looking forward to enjoying this promised relief not jump the gun or overestimate the scope of the relief. Because the Executive Order is not self-executing, the Executive Order provides no legally enforceable relief from applicable ACA compliance obligations unless and until the applicable Agency or Congress adopts that relief consistent with law. While applicable Agencies are expected to act as quickly as possible to comply with President Trump’s orders, various statutory and procedural requirements almost certainly will limit both the relief granted and the speed with which the Agencies can grant the relief.
First, because the Executive Order is not self-executing, it doesn’t actually provide any relief for anyone; rather it just creates the expectation that the Agencies will grant some relief in the future. Those anticipating relief should expect that even regulatory relief will take time since the Agencies by law as well as the terms of the Executive Order will be required to comply with the often time consuming and cumbersome requirements of the Administrative Procedure Act and other applicable statutes in considering and issuing regulatory revisions and relief, including any applicable requirements for submission and approval by the Office of Management and Budget. The often added need for interagency collaboration and negotiation created by the ACA’s grant of multijurisdictional authority over many of its provisions historically has made negotiating these requirements more complicated and time consuming.
Second, relief will not be available for certain exposures because statutory limits on the jurisdiction and authority of the Agencies under the ACA will limit the scope of the relief that an Agency can grant. The Agencies generally do not have the authority to waive certain provisions of the ACA which are not within the discretion of the Agencies, such as the right of participants and beneficiaries in employer or union-sponsored health plan to sue to enforce ACA health plan mandates through a benefits or breach of fiduciary action brought under the Employee Retirement Income Security Act. Likewise, Agencies also will be restricted in their ability to waive penalties or requirements where the statutory mandate is drafted in a manner that denies the Agency discretionary authority to offer that relief.
Third, health plans, their sponsors, insurers, fiduciaries and administrators should anticipate that they may need to take certain action in response to any issued relief before they can take advantage of the relief allowed such as adopting health plan amendments, issuing notices to participants or beneficiaries, making elections or a combination of these actions.
In the case of insured health plans, sponsors, insurers and administrators also will need to consider whether their ability to take advantage of the federal relieve available is blocked or restricted by state insurance statutes, regulations or other administrative requirements. The likelihood of state statutory or regulatory restrictions on insured arrangements is particularly likely because of the heavy regulation of these products by states including the widespread incorporation of ACA mandates into state insurance laws and regulations in response to the Market Reform provisions of the ACA.
Even if these federal requirements are met to qualify for, adopt and implement any federally issued regulatory relief, employer and other plan sponsors, insurers, fiduciaries and administrators also should plan for and be prepared to run the necessary traps to properly amend their plan document, summary plan description and other plan notifications, administrative services agreements, stop loss or other insurance contracts and other vendor agreements to implement their desired changes. Beyond knowing what has to be done to adopt and communicate the desired changes, employer and other sponsors and fiduciaries, their consultants, brokers and advisors need to consider the requirements and consequences that the planned changes might have under applicable plan documents and vendor agreements to avoid unanticipated costs or liabilities as well as what actions are needed to ensure that ERISA’s prudence and other fiduciary requirements are met.
Until these and other required actions are completed by the Agencies and the applicable plan sponsors, fiduciaries and other parties, employers and other plan sponsors, their management, their health plans, health plan fiduciaries, administrators and insurers remain legally obligated to continue to comply with the ACA as presently implemented under the existing regulations and judicial and administrative rulings. While preparing for future changes, health plans, their sponsors, fiduciaries, administrators and insurers also should act to manage their prior and existing liabilities arising out of acts or omissions occurring before Congress or the regulators revise and ease the rules.
While health plans, their sponsors, fiduciaries, administrators and insurers remain legally responsible to comply with existing rules until changed by the regulators or Congress, they still have much to do to get ready for the changes that are coming while acting to manage their health plan costs and liabilities in the meantime. Whether or not the Trump Administration in the future provides relief from Form 8928 self-reporting and excise tax self- assessment penalties for violation of 40 federal group health plans, group health plans and their fiduciaries almost certainly will remain exposed to ERISA lawsuits for violation of ACA or other federal group health plan mandates. In addition, until revoked or revised, employers and health plans remain subject to and risk liability for failing to provide ACA-required tax forms, notices, benefits, coverage, rights or other compliance.
Responsible parties should begin preparing to take advantage of the anticipated legislative and regulatory relief both by both carefully monitoring statutory and regulatory health plan developments and positioning themselves to act quickly when relief comes by evaluating their existing heath plan documents, contracts, communications and systems to verify existing compliance and determine requirements for implementing any planned changes, opening up discussion vendors about these possibilities and taking other steps to position themselves to act knowledgeably and efficiently to take advantage of new opportunities if and when they emerge and are warranted.
About The Author
Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely known for work, teachings and publications.
Ms. Stamer works with health industry and other businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and advisor to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group; immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.
Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment, employee benefits, compensation, and other regulatory and operational risk management. Examples of her many highly regarded publications on these matters include the “Texas Payday Law” Chapter of Texas Employment Law, as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or contact Ms. Stamer via email here or via telephone to (469) 767-8872.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.
NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein
Employers, insurers and other health plan sponsors or issuers (health plans), health care providers, healthcare clearinghouses (covered entities) and their business associates should reevaluate the adequacy of their practices and procedures for the protection of electronic protected health information (ePHI) on or accessible through laptops or other mobile devices in light of the $2.75 million penalty and other schooling the Department of Health and Human Services Office for Civil Rights (OCR) just gave the University of Mississippi (UM) Medical Center (UMMC) documented in a July 7, 2016 Resolution Agreement and Corrective Action Plan (Resolution Agreement) resolving OCR charges of multiple violations of the privacy, security and breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA) OCR says it uncovered while investigating UMMC’s breach notification report to OCR of the loss a laptop containing 328 files containing the ePHI of an estimated 10,000 patients.
UMMC Report of Missing Laptop Leads To Multiple Charges & Resolution Agreement
Mississippi’s sole public academic health science center, UMMC provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the State as well as conducts medical education and research functions. Its designated health care component, UMMC, includes University Hospital, the site of the breach in this case, located on the main UMMC campus in Jackson.
The settlement agreed to by UMMC stems from charges resulting from an OCR investigation of UMMC triggered by a breach of unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals.
Like many prior resolution agreements previously announced by OCR, UMMC’s HIPAA woes came to light after a laptop went missing. OCR learned of the breach and opened its investigation in response to a March 21, 2013 notification UMMC filed with OCR. UMMC made the breach notification to comply with HIPAA’s Breach Notification Rule requirement that health care providers, health plans and healthcare clearinghouses (Covered Entities) timely notify affected individuals, OCR and others of breaches of unsecured ePHI.
UMMC’s breach notification disclosed that UMMC’s privacy officer had discovered a password-protected laptop containing ePHI of thousands of UMMC patients missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC additionally reported that based on its investigation, UMMC believed that the missing laptop likely was stolen by a visitor to the MICU who had inquired about borrowing one of the laptops.
After discovering the loss, UMMC disclosed the breach to local media and on its website and notified OCR of the breach but apparently did not individually notify the subjects of the missing ePHI.
In keeping with its announced policy of investigating all breach reports impacting 500 or more individuals, OCR opened an investigation into UMMC’s breach report. Based on this investigation, OCR concluded that while the laptop apparently was password protected, UMMC had breached the Security Rules because ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could use a generic username and password to access an active directory containing 67,000 files including 328 files containing the ePHI of an estimated 10,000 patients.
While OCR’s investigation confirmed that UMMC had implemented policies and procedures pursuant to the HIPAA Rules, OCR’s additionally found that the theft of the laptop that prompted UMMC’s breach report resulted from broad deficiencies in UMMC’s implementation and administration of these policies and its practices.
Based on these findings, OCR charged UMMC with the following HIPAA violations:
From the compliance date of the Security Rule, April 20, 2005, through the settlement date, UMMC violated 45 C.F.R. §164.308(a)(1)(i) by failing to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI it holds, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
From January 19, 2013, until March 1, 2014, UMMC violated 45 C.F.R. §164.310(c) by failing to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
From the compliance date of the Security Rule, April 20, 2005, to March 14, 2013, UM violated 45 C.F.R. § 164.312 (a)(2)(i) by failing to assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI including, for example, allowing workforce members to access ePHI on a shared department network drive through a generic account, preventing UMMC from tracking which specific users were accessing ePHI; and
While UMMC provided notification on UMMC’s website and in local media outlets following the discovery of the reported breach of unsecured ePHI,, UMMC violated the Breach Notification Rule by failing to notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.
Finally, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet took no significant risk management activity until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.
To resolve these charges, UMMC agrees in the Resolution Agreement to pay OCR $2.75 million and implement a comprehensive compliance plan which among other things, requires UMMC to conduct a sweeping review and correct its HIPAA privacy, security and breach notification policies and their implementation and administration to comply with HIPAA as well as implement and administer detailed management and OCR oversight and reporting processes over the implementation and administration of these procedures.
Lessons For Other Covered Entities From UMMC Resolution Agreement
The UMMC charges and Resolution Agreement contains several key lessons for other covered entities and their business associates, which OCR’s July 21, 2016 announcement warns other covered entities and business associates to heed..
Certainly, the $2.75 million settlement amount reaffirms that covered entities and their business associates risk substantial liability for failing to properly assess and protect the security of ePHI in accordance with HIPAA’s Privacy and Security Rule.
Furthermore, the charges and Resolution Agreement also adds a new twist to OCR’s now well established to stiffly sanction covered entities and their business associates that fail appropriately assess and address risks to the security of their ePHI on or accessible from laptops or other mobile devices. Through previous resolution agreements and guidance, OCR has made clear that it interprets the HIPAA Security Rule as generally requiring that covered entities and business associates encrypt all laptops or other mobile devices containing ePHI. The UMMC charges and Resolution Agreement makes clear that the responsibility to protect ePHI on or accessible through laptops or other mobile devices does not end with encryption. Rather, the Resolution Agreement makes clear that covered entities and their business associates also must take appropriate, well-documented steps to monitor, assess, identify, and timely and effectively address other potential risks to the security of the ePHI.
The Resolution Agreement makes clear that these additional responsibilities include, but are not necessarily limited to ensuring that proper safeguards are implemented and enforced to secure access not only to the ePHI contained on the laptop as well as other data bases and systems containing ePHI accessible through the laptop. In this respect, the Resolution Agreement particularly highlights the need for covered entities and their business associates to assess risks and take appropriate steps:
To safeguard the physical security of laptops and other mobile devices;
To prevent the use of generic or other unsecure passwords to access ePHI on or accessible through the laptop or other mobile device;
To establish and administer appropriate, well-documented processes for assessing and addressing the adequacy of safeguards for and potential threats to the security of ePHI both initially and on an ongoing basis in a manner that meaningfully assesses the actual risks and effectiveness of safeguards against these risks, including those resulting from nonadherence to required safeguards and practices such as the sharing of passwords, changing systems or circumstances, and other developments that potentially threaten the adequacy of ePHI security.
Furthermore, OCR’s July 21, 2016 press release concerning the Resolution Agreement also sends a clear message to all covered entities and business associates that OCR views HIPAA as requiring organizations not only to adopt written policies and procedures that comply on paper or in theory with HIPAA, but also to take steps to monitor and maintain the effectiveness of their safeguard by continuously assessing and monitoring their HIPAA risks and acting as necessary to ensure that required safeguards of protected health information and ePHI and other HIPAA requirements are effectively implemented and administered in operation as well as form.
In OCR’s Press Release announcing the Resolution Agreement, OCR Director Jocelyn Samuels. Stated, “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.” She also warned “In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame.”
Additionally, the Resolution Agreement also illustrates need for covered entities and business associates to timely provide all individual and other notifications and otherwise fully comply with all requirements of the Breach Notification Rules.
Since the risk of a breach is ever-present even for Covered Entities and business associates exercising the highest degree of care to safeguard PHI and maintain compliance with HIPAA, Covered Entities and business associates are wise to take steps to position themselves to be able to demonstrate the adequacy of both their written policies and procedures and the effectiveness of their implementation and enforcement including ongoing documented practices for assessing, monitoring and addressing security risks and other compliance concerns as well as prepare to comply with the breach notification requirements in the event they experience their own breach of unsecured ePHI.
About The Author
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.
Ms. Stamer’s health industry experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.
Ms. Stamer also is known for her experience in HIPAA and other privacy and data security and breach concerns. The scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.
A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.
You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.
About Solutions Law Press Inc.™
Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.
If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates like the following:
Go hereto register to receive other Solutions Law Press, Inc. updates and announcements about other upcoming briefings, training or other programs, products, services, and activities or to learn more about Solutions Law Press, Inc., its publications, programs and training, PROJECT COPE: Coalition on Patient Empowerment community service and education projects, event management and other resources and services.
For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.
Health Plans, Sponsors & Business Associates Should Verify Plan’s HIPAA Compliance
Employers and other health plan sponsors and the health plan fiduciaries and business associates providing services involving dealings on behalf of the plan with protected health information just received another reminder to confirm and be prepared to prove all required business associate agreements are in place and that the health plans otherwise properly are administering all policies, practices, safeguards and procedures for handling, using and disclosing electronic and other protected health information from the April 20, 2016 Department of Health & Human Services Office of Civil Rights (OCR) announcement of its latest resolution agreement settling Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule charges OCR made against a HIPAA-covered entity for violating HIPAA’s business associate agreement rules.
OCR Charges Brought For Business Associate Agreement Violations
HIPAA’s Privacy Rules generally apply to “covered entities,” which under HIPAA are health plans and insurers, health care providers, health care clearinghouses (Covered Entities) and “business associates,” which are individuals or entities that perform services that aid the Covered Entity to perform its duties as a Covered Entity.
The Resolution Agreement and Corrective Action Plan (Resolution Agreement) with Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) announced by OCR on April 20th requires Raleigh Orthopaedic to pay $750,000 to settle charges OCR it violated the Privacy Rule by handing over protected health information of approximately 17,300 patients to a potential business partner without first executing a business associate agreement.
Raleigh Orthopaedic is a provider group practice that operates clinics and a surgery center in the Raleigh, North Carolina area. OCR initiated its investigation of Raleigh Orthopaedic after receiving a breach report on April 30, 2013. OCR’s investigation indicated that Raleigh Orthopaedic violated the Privacy Rules by releasing the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopaedic failed to execute a business associate agreement with this entity before turning over the x-rays and PHI.
OCR says this sharing of the x-ray files and other protected health information by Raleigh Orthopaedic violated the Privacy Rules.
Specifically, the Privacy Rules prohibit Covered Entities and their business associates from using, accessing and disclosing protected health information except as specifically permitted in the Privacy Rules. As part of these rules, the “Business Associate” requirements of the Privacy Rule prohibit Covered Entities from disclosing or allowing business associates to use, and business associates from receiving or using protected health information unless the parties first enter into a written business associate agreement that complies with the requirements of the Privacy Rules.
The Resolution Agreement settles OCR charges that Raleigh Orthopaedic violated this Business Associate Agreement requirement by sharing the x-rays and other protected health information with the service provider without first entering a business associate agreement. Under the Settlement Agreement, Raleigh Orthopaedic must pay a $750,000 payment, as well as revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the Covered Entity hires the business associate.
Although the Resolution Agreement only addresses charges OCR brought against the Covered Entity, Raleigh Orthopaedic, business associates need to keep in mind that both Covered Entities and business associates now are responsible for ensuring compliance with the business associate agreement requirements of the Privacy Rules since the Stimulus Bill amended HIPAA to make most provisions of the Privacy Rule directly applicable to business associates as well as Covered Entities.
Take Aways For Covered Entities & Their Business Associates
OCR’s announcement of the Resolution Agreement includes a strong message for other Covered Entities and business associates of the importance of taking seriously their responsibility under the Privacy Rule to ensure that the business associate agreement requirements of the Privacy Rule are met before business associates are allowed to receive, access or use protected health information. The announcement quotes Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as stating. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.” and “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.”
In light of the Business Associate Rule and Director Samuels’ comments, Covered Entities and business associates alike should review the adequacy of their documentation, policies and practices regarding dealings with service providers who are or could collect, receive or use electronic or other protected health information to propose or perform services in the capacity as a business associate. Certainly both Covered Entities and business associates to ensure that they possess and are able to produce if needed signed business associate agreements for each current business associate agreement as well as that appropriate policies, practices and procedures are in place to ensure that all required business associate agreements are implemented before any disclosure or use of protected health information to the business associate in the future. As part of these activities, both Covered Entities and business associates also should ensure their policies and practices appropriately provide for the retention of signed copies of all business associate agreements and other records, and the implementation of all other processes and procedures required to position the entity to be able to demonstrate it not only had policies requiring compliance, but appropriately implemented and administered those policies in accordance with the Privacy Rule.
When conducting this review, Covered Entities and business associates also generally should consider the advisability of also reviewing their business associate agreements and the adequacy of these arrangements in light of any other contractual confidentiality and or contractual rights and commitments, regulatory requirements and other operational and risk management concerns that impact or interrelate with the relationship between the business associate and the Covered Entity. It is important to ensure that appropriate steps are taken to evaluate and properly integrate the confidentiality and other commitments that the Privacy Rules mandate a business associate agreement include with audit, performance assessment, and other data access or disclosure, trade secrets, confidentiality, performance standards and guarantees, indemnity and other contractual obligations of other agreements that could impact or be impacted by the business associate agreements. Steps also should be taken to incorporate appropriate processes and procedures for ensuring that the Covered Entity and members of its workforce understand and consistently administer and document their use of appropriate processes to ensure that the business associate agreement and other requirements of the Privacy Rules are fulfilled. In the case of employer sponsored plans subject to the Employee Retirement Income Security Act of 1974, for instance, the selection and proper oversight of business associates and the management of plan data both are subject to the fiduciary responsibility rules of ERISA. Meanwhile, insurers, business associates and other plan vendors also generally should anticipate that beyond HIPAA, they also may be subject to data security, privacy and other mandates and exposures under state HIPAA-like rules for protected health information, as well as other obligations under insurance, data security, identity theft, breach, privacy and other state laws.
The process of evaluating the adequacy of current arrangement and considering the advisability of changes to tighten existing practices in many cases will result in the discovery and discussion of potentially sensitive information about the adequacy of current or past compliance with the Privacy Rules or other matters. For example, it is possible that in the course of review, parties may be unable to locate a signed business associate agreement governing a relationship that the Privacy Rules require be subject to a business associate agreement or in the course of review, information indicating breaches of protected health information or other Privacy Rule violations may have occurred. For this reason, most Covered Entities and their business associates will want to consider arranging for this review and analysis to be conducted within the scope of attorney-client privilege by or under the direction of qualified legal counsel with HIPAA experience that has entered into a business associate agreement with the Covered Entity or business associate.
About The Author
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecturer and policy advocate, recognized as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Tax: Erisa & Employee Benefits” and “Health Care” by D Magazine who works, writes and speaks extensively about HIPAA and other data privacy and security concerns.
Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.
Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer helps management manage. Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. Well-known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.
A Fellow in the American College of Employee Benefit Counsel, Ms. Stamer uses her deep and highly specialized knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions.
Throughout her career, Ms. Stamer has advised these and other clients about health care, health plan, financial information, trade secret, privacy and other related compliance, data breach response and remediation and related compliance, risk management and related concerns. In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others.
Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.
Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.
Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns. She will share updates on HIPAA and other health care and data security concerns when returns to speak and chair at the 4th Annual Healthcare Privacy and Security Forum scheduled on May 20, 2016 in Los Angeles.
Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see here or contact Ms. Stamer directly by email here or by telephone at (469) 767-8872.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile at here.
Group health plans and group and individual health insurers (Health Plans) must add updating their 2017 Summary of Benefits and Coverage (SBC) forms to their 2017 to do list in response to the publication by the Departments of Health and Human Services (HHS), Labor (DOL) and Treasury (collectively “Agencies) of enhanced content requirements for the 2017 Summary of Benefits and Coverage (SBC) template and Uniform Glossary that the Patient Protection & Affordable Care Act (ACA) requires Health Plans to provide to Health Plan members. Health Plans must begin using SBCs updated to comply with the 2017 SBC template released by the Agencies on April 6, 2016 beginning on the first day of the first open enrollment period that begins on or after April 1, 2017.
The ACA requires Health Plans to provide covered persons a brief (4 page) summary of what the plan covers and the plan’s cost sharing along with a comprehensive uniform glossary of commonly used health coverage and medical terms with the detailed content and format dictated by the Agencies SBC regulations. Intended to help covered persons understand and compare coverage options by providing standardized information in a standardized format about each plan, the SBC and Glossary must include all required content in the type and format dictated by the SBC regulations. In addition to ensuring that their SBC and Glossary meet these requirements, Health Plans also may need to prepare and offer translations of the SBC and Glossary to comply with the ACA’s “culturally and linguistically appropriate” requirements.
The current and 2017 SBC Template along with instructions for its preparation and completion, model translation documents for certain forms, and other information about the SBC requirements are available here.
Currently, the dictated SBC format includes coverage examples that demonstrate the cost sharing amounts an individual might be responsible for in three common medical situations. In addition to the current coverage examples that address diabetes care and childbirth, the updated template for 2017 also will require a new coverage example that addresses coverage for a foot fracture so that a consumer understands what a plan covers in an emergency scenario.
Beyond dictating the emergency example, the 2017 templates also expand the information about cost sharing that SBCs much contain to include enhanced language to explain deductibles and a requirement that plans address individual and overall out-of-pocket limits in the SBC.
While the Agencies regulations dictate the required content, health insurers and employers or others serving as health plan administrators or sponsors need to use care to ensure that SBCs are prepared appropriately and provided when and how required. Failure to timely deliver the SBC not only can trigger penalties under ERISA against the plan administrator and/or against the insurer under the ACA market reform rules, noncompliance with the SBC requirements also is among the listed ACA compliance defects that can expose the sponsoring employer to excise tax penalties under the Internal Revenue Code.
In order to fulfill this and other important ACA and other federal health plan notice and reporting mandates, employer and other plan sponsors, administrators and fiduciaries generally must finalize their health plan design well in advance of the date the new health plan design is intended to take effect. The Agencies SBC regulations generally require that the SBC be provided before the first day of the enrollment period and that updated SBCs be provided whenever any material change in benefits or coverage is enacted after the delivery of the original SPB. The requirement to prepare and deliver the SBC is in addition to the current federal mandate that plan administrators provide written notice of material changes to a health plan at least 60 days before the effective date of the material change and a host of other health plan notice requirements imposed by federal law. Employers, insurers, third party administrators and health plan fiduciaries need to understand and make appropriate arrangements to ensure that these SBC and other notice and reporting requirements are timely and appropriately completed.
About The Author
A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., Ms. Stamer’s more than 28 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecturer and policy advocate, recognized as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Tax: Erisa & Employee Benefits” and “Health Care” by D Magazine.
Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.
Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer helps management manage. Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. Well-known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.
A Fellow in the American College of Employee Benefit Counsel, Ms. Stamer uses her deep and highly specialized knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions. In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.
Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.
Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.
Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see here or contact Ms. Stamer directly by email here or by telephone at (469) 767-8872.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile at here.
Employer and union sponsored health plans, their sponsors, fiduciaries, and business associates should brace for audits and enforcement of the Privacy, Security, and Breach Notification rules by the Department of Health & Human Service Office of Civil Rights (OCR) follow OCR’s 2016 audit program on the heels of its announcement last week of two large HIPAA settlements last week.
OCR confirmed today it is sending emails notifying health plans, healthcare providers, healthcare clearing houses (Covered Entities) and their business associates identified as part of the kickoff of its next phase of audits of Covered Entities. In light of the HIPAA verification rules and the notorious spread of opportunistic identity theft and other fraud by opportunistic Cybercriminals following these types of announcements, Covered Entities and business associates should carefully verify the requests validity and manage the response to avoid violating HIPAA in responding and position for defensibility against potential penalties.
Even if health plans or other Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever-expanding list of enforcement actions by OCR.
To catch up on this latest guidance, Solutions Law Press, Inc. ™ invites you to register to participate in a special WebEx briefing on “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” on Wednesday, March 30, 2016 beginning at Noon Central Time on Wednesday, March 30, 2016.
2016 Audit Program
In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by Covered Entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. OCR says it will primarily conduct these audits as desk audits, although some on-site audits will be conducted.
According to today’s announcement, the 2016 audit process begins with verification of an entity’s address and contact information. OCR is sending emails to Covered Entities and business associates requesting that contact information be provided to OCR on time. OCR will then send a pre-audit questionnaire to gather data about the size, type, and operations of potential audit targets. OCR says this data will be used with other information to create potential audit subject pools. Recipients should contact qualified legal counsel immediately for advice and assistance about proper procedures to verify the email is in fact from OCR and for assistance in responding.
If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool. Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review. Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, OCR expects entities to check their junk or spam email folder for emails from OCR.
The announcement also reflects that OCR is still developing other aspects of the audit program. OCR will post updated audit protocols on its website closer to conducting the 2016 audits. The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.
OCR says its audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits. Through the information gleaned from the audits, OCR will develop tools and guidance to aid the industry in compliance self-evaluation and in preventing breaches. OCR plans to use results and procedures used in the phase 2 audits to develop its permanent HIPAA audit program.
OCR Settlements Show Enforcement Risk
The audit program announcement comes less than a week after OCR announced millions of dollars of new penalties under settlements with two Covered Entities:
A $1,555,000 settlement with North Memorial Health Care of Minnesota;
A $3.9 million settlement with Feinstein Institute for Medical Research.
The two settlements drive home again the substantial liability that health care providers, health plans, health care clearinghouses and their business associates risk for violating HIPAA.
Feinstein Settlement
Feinstein is a biomedical research institute organized as a New York not-for-profit corporation sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York comprised of 21 hospitals and over 450 patient facilities and physician practices.
OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information about potential participation in a research study.
OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.
“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
The Feinstein settlement announcement follows yesterday’s announcement of a $1.5 million plus settlement with North Memorial to resolve HIPAA charges that it failed to implement a business associate agreement with a major contractor and failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.
The settlement highlights the importance for healthcare providers, health plans, healthcare clearinghouses and their business associates to comply with HIPAA’s business associate agreement and other HIPAA organizational, risk assessment, privacy and security, and other requirements.
OCR’s announcement emphasizes the importance of meeting these requirements. “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Director Samuels. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
The settlement comes from charges filed after OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the ePHI of 9,497 individuals.
OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.
The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.
In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.
Following up on OCR’s imposition of its second-ever HIPAA Civil Monetary Penalty (CMP) and the latest in an ever-growing list of settlements by Covered Entities under HIPAA, these latest settlements illustrate the substantial liability that Covered Entities face for violating HIPAA. To avoid these liabilities, Covered Entities must constantly be diligent to comply with the latest guidance of OCR about their obligations under HIPAA.
As OCR continues to issue additional guidance as well as supplement this guidance through information shared in settlement agreements like the North Memorial settlement, even if Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever-expanding list of enforcement actions by OCR.
Since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA, Covered Entities face growing responsibilities and liability for maintaining the security of ePHI.
In response to HITECH, OCR continues to use a carrot and stick approach to encouraging and enforcing compliance. As demonstrated by OCR’s imposition of the second-ever HIPAA Civil Monetary Penalty (CMP) of $239,000 against Lincare and the ever-growing list of Resolution Agreements OCR announces with other Covered Entities, OCR continues to step up enforcement against Covered Entities that breach the Privacy and Security Rules. See OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000.
On the other hand, OCR also continues to encourage voluntary compliance by Covered Entities by sharing guidance and tools to aid Covered Entities to understand fulfill their HIPAA responsibilities such as the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (Crosswalk) unveiled by OCR on February 24, 2016.The crosswalk that maps the HIPAA Security Rule to the standards of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) as well as mappings to certain other commonly used security frameworks.
While stating that the HIPAA Security Rule does not require use of the NIST Cybersecurity Framework, OCR says it hopes the Crosswalk will provide “a helpful roadmap” for HIPAA Covered Entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help Covered Entities safeguard health data in a time of increasing risks and help them to identify potential gaps in their programs.
At the same time, OCR’s announcement of its release of the Crosswalk also cautions users that “use of the Framework does not guarantee HIPAA compliance.” Rather, OCR says “the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.
With a USA Today report attributing more than 40 percent of data breaches to the healthcare industry over the last three years 91 percent of all health organizations having reporting breaches over the last two years, OCR has made clear that it intends to zealously investigate and enforce the Security Rules against Covered Entities that violate the Security Rules against Covered Entities that fail to take suitable steps to safeguard the security of PHI as required by the HIPAA Security Rule.
To meet these requirements, the HIPAA Security Rule requires that Covered Entities conduct and be prepared to product documentation of their audit and other efforts to comply with the Security Rule Most Covered Entities will want to consider including an assessment of the adequacy of their existing practices under the Crosswalk and other requirements disclosed by OCR in these assessments to help position the Covered Entity to defend or mitigate HIPAA CMP and other liabilities in the event of a HIPAA breech or audit.
Changing Rules Complicate Compliance
In addition to maintaining adequate security, HIPAA also requires Covered Entities to provide individuals with the right to access and receive a copy of their health information from their providers, hospitals, and health insurance plans in accordance with the HIPAA Privacy Rule. In response to recurrent difficulties experienced by individuals in exercising these rights, OCR recently published supplemental guidance to clarify and promote better understanding and compliance with these rules by Covered Entities. OCR started this process in January, 2015 by releasing a comprehensive fact sheet (Access fact sheet) and the first in a series of topical frequently asked questions (FAQs) addressing patients’ right to access their medical records, which set forth requirements providers must follow in sharing medical records with patients, including that they must do so in a timely manner and in a format that works for the patient.
Earlier this month, OCR followed up by publishing on March 1, 2016 a second set of FAQs addresses additional issues, including the fees individuals may be charged for copies of their health information and the right of individuals to have their health information sent directly to a third party if they so choose.
Covered entities and their business associates should expect OCR to ask about use of these tools in audits and investigations. Accordingly, they should move quickly to review and update their business associate agreements and other practices to comply with this new guidance as well as watch for further guidance and enforcement about these practices from OCR.
OCR’s new guidance on access to PHI follows a host of other regulatory and enforcement activities. While the particulars of each of these new actions and guidance vary, all send a very clear message: OCR expects Covered Entities and their business associates to comply with HIPAA and is offering tools and other guidance to aid them in that process. In the event of a breach or audit, Covered Entities and their business associates need to be prepared to demonstrate their efforts to comply.
Those that cannot show adequate compliance efforts should be prepared for potentially substantial CMP or Resolution Agreement payments and other sanctions.
Register For 3/30 Webex Briefing
Solutions Law Press, Inc.™ invites to catch up on the latest guidance on the Covered Entities’ responsibility under HIPAA to provide access to patients to PHI by registering here to participate in the “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” Webex briefing by attorney Cynthia Marcotte Stamer that Solutions Law Press, Inc.™ will host beginning at Noon Central Time on Wednesday, March 30, 2016.
About The Author
Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.
Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.
As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, the Co-Managing Member of Stamer Chadwick Soefje PLLC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.
Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served for several years as the scrivener for the ABA JCEB’s meeting with OCR for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.
Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email here or via telephone to (469) 767-8872.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:
Health plans, health care providers, healthcare clearinghouses and their business associates (Covered Entities) under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) should review and update practices on protecting the security of and providing protected health information (PHI) and record access to patients, plan members and other subjects of that information in response to new guidance and enforcement actions of the Department of Health & Human Services Office of Civil Rights (OCR).
Even if health plans or other Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever expanding list of enforcement actions by OCR.
To catch up on this latest guidance, Solutions Law Press, Inc. ™ invites you to register to participate in a special webex briefing on “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” on Wednesday, March 30, 2016 beginning at Noon Central Time on Wednesday, March 30, 2016.
New Guidance On PHI Records Access Rules & Security Standards
OCR continues to issue new guidance and tools on HIPAA compliance. Keeping on top of and ensuring privacy and security practices are update for this guidance is an important part of the responsibilities of health plans and other Covered Entities including:
New guidance on responsibilities of Covered Entities to provide patient access to protected health information under HIPAA;
Guidance contained in announcements and resolutions agreements published about OCR enforcement actions; and
Other recent regulatory and enforcement developments.
OCR Cybersecurity & Other Security Guidance & Enforcement
HIPAA’s Privacy, Security and Breach Notification rules require Covered Entities to implement strong data security safeguards to ensure the confidentiality, integrity, and availability of all of the electronic protected health information (ePHI) and other PHI tthey create, receive, maintain or transmit. To help minimize their potential exposure to Civil Monetary Penalties or other risks associated with breaches of these Rules, Covered Entities generally will want to review and update as necessary their current practices for safeguarding the security of PHI and ePHI in light of the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (Crosswalk) unveiled by OCR on February 24, 2016 as well as guidance about OCR’s expectations concerning HIPAA Security compliance disclosed in the two HIPAA Civil Monetary Penalties and ever growing list of HIPAA Resolution Agreements published by OCR.
Since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA, Covered Entities face growing responsibilities and liability for maintaining the security of ePHI. In response to HITECH, OCR continues to use a carrot and stick approach to encouraging and enforcing compliance. As demonstrated by OCR’s imposition of the second-ever HIPAA Civil Monetary Penalty (CMP) of $239,000 against Lincare and the ever-growing list of Resolution Agreements OCR announces with other Covered Entities, OCR continues to step up enforcement against Covered Entities that breach the Privacy and Security Rules. See OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000.
On the other hand, OCR also continues to encourage voluntary compliance by Covered Entities by sharing guidance and tools to aid Covered Entities to understand fulfill their HIPAA responsibilities such as the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (Crosswalk) unveiled by OCR on February 24, 2016.
released a crosswalk that maps the HIPAA Security Rule to the standards of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) as well as mappings to certain other commonly used security frameworks.
While stating that the HIPAA Security Rule does not require use of the NIST Cybersecurity Framework, OCR says it hopes the Crosswalk will provide “a helpful roadmap” for HIPAA Covered Entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help Covered Entities safeguard health data in a time of increasing risks and help them to identify potential gaps in their programs. At the same time, OCR’s announcement of its release of the Crosswalk also cautions users that “use of the Framework does not guarantee HIPAA compliance.” Rather, OCR says “the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.”
With a USA Today report attributing more than 40 percent of data breaches to the healthcare industry over the last three years 91 percent of all health organizations having reporting breaches over the last two years, OCR has made clear that it intends to zealously investigate and enforce the Security Rules against Covered Entities that violate the Security Rules against Covered Entities that fail to take suitable steps to safeguard the security of PHI as required by the HIPAA Security Rule. To meet these requirements, the HIPAA Security Rule requires that Covered Entities conduct and be prepared to product documentation of their audit and other efforts to comply with the Security Rule Most Covered Entities will want to consider including an assessment of the adequacy of their existing practices under the Crosswalk and other requirements disclosed by OCR in these assessments to help position the Covered Entity to defend or mitigate HIPAA CMP and other liabilities in the event of a HIPAA breach or audit.
Latest Guidance Clarifies Patient Rights To Access PHI & Allowable Charges
In addition to maintaining adequate security, HIPAA also requires Covered Entities to provide individuals with the right to access and receive a copy of their health information from their providers, hospitals, and health insurance plans in accordance with the HIPAA Privacy Rule. In response to recurrent difficulties experienced by individuals in exercising these rights, OCR recently published supplemental guidance to clarify and promote better understanding and compliance with these rules by Covered Entities.
OCR started this process in January, 2015 by releasing a comprehensivefact sheet (Access fact sheet) and the first in a series of topical frequently asked questions (FAQs) addressing patients’ right to access their medical records, which set forth requirements providers must follow in sharing medical records with patients, including that they must do so in a timely manner and in a format that works for the patient.
Earlier this week, OCR followed up by publishing on March 1, 2016 a second set of FAQs addresses additional issues, including the fees individuals may be charged for copies of their health information and the right of individuals to have their health information sent directly to a third party if they so choose.
The complete set of materials – the Fact Sheet and both the first and second set of FAQs – published to date as part of this effort to improve access, may be found on OCR’s website here.
Covered entities and their business associates should move quickly to review and update their practices to comply with this new guidance as well as watch for further guidance and enforcement about these practices from OCR.
OCR’s new guidance on access to PHI follows a host of other regulatory and enforcement activities. While the particulars of each of these new actions and guidance vary, all send a very clear message: OCR expects Covered Entities and their business associates to comply with HIPAA and is offering tools and other guidance to aid them in that process.. In the event of a breach or audit, Covered Entities and their business associates need to be prepared to demonstrate their efforts to comply. Those that cannot show adequate compliance efforts should be prepared for potentially substantial CMP or Resolution Agreement payments and other sanctions.
Register For 3/30 Webex Briefing
Solutions Law Press, Inc.™ invites to catch up on the latest guidance on the Covered Entities’ responsibility under HIPAA to provide access to patients to PHI by registering here to participate in the “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” Webex briefing by attorney Cynthia Marcotte Stamer that Solutions Law Press, Inc.™ will host beginning at Noon Central Time on Wednesday, March 30, 2016. Get additional information or register here.
About The Author
Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.
Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.
As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, the Co-Managing Member of Stamer Chadwick Soefje PLLC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.
Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served for several years as the scrivener for the ABA JCEB’s meeting with OCR for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.
A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.
Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.
Posted by Cynthia Marcotte Stamer 
slphrbenefitsupdate.com 
You must be logged in to post a comment.