Health Insurer |

Join 9/8 JCEB Webex To Learn About DOJ Federal Antitrust Health Industry Market Competition Enforcement & Latest On $2.67 Billion BCBS Class Action Antitrust Settlement

September 2, 2022

As companies that purchased health insurance and their employees or other individuals who received health insurance from certain Blue Cross Blue Shield entities wait to hear how to claim their share of the $2.67 billion In re: Blue Cross Blue Shield Antitrust Litigation private federal class action civil antitrust lawsuit settlement (“Settlement”) finally approved August 9, 2022 against the Blue Cross Blue Shield Association (“BCBSA”) and other settling individual Blue Cross Plans, employers and other plan sponsors, health care systems and providers, health insurers, pharmacy benefit managers, brokerages, and other health and health insurance market participants need to keep in mind that the private antitrust judgements are not their only exposure under federal antitrust laws. Health insurance and health industry market participants that engage in anticompetitive conduct or business transactions also risk investigation and prosecution under federal antitrust laws by the U.S. Department of Justice, the Federal Trade Commission and state regulators or attorneys general.

Market participants and others with health or health insurance industry market competitiveness concerns or interests should register and attend the September 8, 2022 Justice Department Health Industry Antitrust Enforcement Update to learn about key federal antitrust statutes regulating or prohibiting anticompetitive conduct and business transactions and hear how the Department of Justice uses these laws to promote market competition in the health care and health insurance marketplaces.

Hosted by the American Bar Association Joint Committee on Employee Benefits, the webinar will feature a discussion by U.S. Department of Justice Civil Division Healthcare and Consumer Products Section Antitrust Attorney Natalie Melada of basic federal antitrust rules and principles the Justice Department relies upon to safeguard market competitiveness and discusses selected Justice Department antitrust litigation and other compliance and enforcement initiatives the Department of Justice has undertaken to protect competition in the healthcare industry. Attorney and Solutions Law Press, Inc. editor and author Cynthia Marcotte Stamer also will provide an update on the In re: Blue Cross Blue Shield Antitrust Litigation and resulting $2.67 billion settlement approved August 9.

For more details and to register for the program, see here.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and following and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her experience includes substantial work, publications and presentations on health care, health and managed care, employee plan and purchasing groups, noncompetition and other antitrust compliance concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Comments Off on Join 9/8 JCEB Webex To Learn About DOJ Federal Antitrust Health Industry Market Competition Enforcement & Latest On $2.67 Billion BCBS Class Action Antitrust Settlement | Antitrust, Brokers, Corporate Compliance, Employers, ERISA, Federal Sentencing Guidelines, health Care, health insurance, health insurance marketplace, Health Plans, Insurance, Non-Competition Agreement, Public Policy | Tagged: Antitrust, Business Groups, Department of Justice, Employee Benefits, Group Purchasing Organizations, Health Care Competition, Health Care Consolidation, Health Insurer, Health Plan, In Re Blue Cross Blue Shield Antitrust Litigation, Physicians | Permalink
Posted by Cynthia Marcotte Stamer

$300,000+ Settlement Warns Health Plans, Other Covered Entities To Ensure Proper PHI Disposal

August 29, 2022

Health plans and insurers, health care providers, health care clearinghouses (“Covered Entities”), their business associate service providers, leaders and insurers should re-confirm their own organizations’ for handling and disposing of records and systems containing protected health information (“PHI”) comply with the Health Care Portability & Accountability Act (“HIPAA”) following the Department of Health & Human Services Office for Civil Rights (OCR) announcement yet another HIPAA enforcement action and settlement arising from improper PHI disposal.

OCR’s $300,000 plus settlement with New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”) announced last week resolves OCR charges that NDELC violated the HIPAA Privacy Rules when it placed specimen containers with patient identifying PHI in its parking lot garbage bin.

OCR Long Enforced HIPAA PHI Disposal Responsibilities

OCR has long interpreted and enforced HIPAA as requiring Covered Entities and business associates to ensure appropriate processes are used to protect PHI when that safeguards are in place when disposing of patient information to keep it from being accessible by the public. ”Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer.

The NEDLC enforcement action and NEDLC Resolution Agreement follow prior OCR settlements and warnings to Covered Entities and business associates about their responsibility to protect PHI through proper disposal during their ongoing operations as well as when closing operations.

Past OCR enforcement actions and settlements demonstrated OCR’s readiness to hold Covered Entities and their business associates accountable for properly disposing of records and materials containing PHI, In 2015, for instance, Cornell Prescription Pharmacy paid OCR $125,000 and implemented a correction action plan to correct alleged HIPAA violations after an OCR investigation of a local news report confirmed unsecured paper documents containing PHI of more than 1600 patients were disposed of in an unlocked, open container on Cornell’s premises. The documents were not shredded and contained identifiable information regarding specific patients. See Cornell Prescription Pharmacy Resolution Agreement. See also $800,000 HIPAA Settlement in Medical Records Dumping Case.

Other OCR enforcement actions highlighted the responsibility of Covered Entities and business associates to protect PHI when disposing of computer or other devices. For instance, OCR collected $1,215,780.00 from Affinity Health to settle potential HIPAA Civil Monetary Sanctions after OCR found it exposed the PHI of up to 344,579 individuals by returning photocopiers to a leasing agent without erasing the data contained on the copier hard drives. Affinity Health Plan, Inc. Resolution Agreement.

The OCR guidance and enforcement actions also make clear that the obligation for proper protection and disposal continues through termination of the business or operations through which a Covered Entity or business associate possessed or retained PHI. Thus, in the FileFax Resolution Agreement, for instance the receiver appointed to liquidate the assets of FileFax, Inc. paid $100,000 out of the receivership estate to OCR to settle potential HIPAA violations after Filefax shut its doors during the course of OCR’s investigation into alleged HIPAA violations.

New $300,000+ NEDLC Settlement Agreement

The NEDLC investigation and resulting settlement reflect OCR’s continued concern about ensuring appropriate protection of PHI through disposal. On May 11, 2021, NEDLC filed a breach report with OCR that reported empty specimen containers with the PHI on labels were placed in a garbage bin in their parking lot. The containers’ labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. On March 31, 2021, a third-party security guard found one specimen container bearing a label containing patient names, dates of birth, dates of sample collection, and name of the provider who took the specimen. During the investigation, NEDLC stated that from February 4, 2011 until March 31, 2021, it regularly discarded specimen containers with an attached label that contained PHI as regular waste, bagged and placed in an exterior dumpster accessible via the parking lot, without alteration to the PHI containing label.

OCR’s New England Regional Office found the practice of disposing of specimen containers with their labels containing PHI violated the HIPAA Privacy Rule including the impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI.

Under the NEDLC Resolution Agreement, NEDLC paid $300,640 to OCR and agreed to implement a “robust” corrective action plan that includes two years of OCR monitoring to settle OCR’s charges that it breached HIPAA by failing to appropriately secure and protect PHI through disposal. Among other things, the corrective action plan requires NEDLC to:

Within 60 days, develop, maintain, and revise, as needed and present for OCR review its written policies and procedures to comply with the physical safeguard and disposal of PHI created, received or maintained by or on behalf of NEDLC and all other HIPAA Privacy, Security and Breach Notification and training protocols to ensure workforce member compliance with these policies; and sanctions for workforce members violating these requirements;
Implement the updated policies and procedures within 30 days of receipt of HHS approval;
Distribute the policies to existing members of its workforce within 30 days of receipt of HHS approval of the policies and subsequently to new members of the workforce within 30 days of their beginning of service and obtain a signed written or electronic initial compliance certification from all members of the workforce and relevant business associates stating that the workforce members have read, understand, and shall abide by such policies and procedures;
Assess, update, and revise, as necessary, the policies and procedures at least annually or as needed, provide the revised policies and procedures to HHS for review and approval, and redistribute to and obtained new compliance certifications from workforce members and business associates within 30 days of HHS approval;
If it receives information during the Compliance Term that a workforce member or business associate may have failed to comply with its policies and procedures for safeguarding PHI, promptly investigate and it the investigation finds a violation, notify HHS within 30 days of the violation and corrective action taken;
Comply with specified breach investigation and notification requirements;
Provide reports certified by a designated leader of the organization its implementation of the corrective action plan, annually and upon the occurrence of certain other events during the two-year monitoring period.

Take Aways From NEDLC And Other OCR Improper Disposal Enforcement

As the NEDLC and other settlements make clear, Covered Entities and business associates are accountable for recognizing and protecting all PHI in the various phases of its lifecycle in the organization including when it is being disposed or migrating through various systems. Existing OCR enforcement actions like the NECLC Settlement Agreement highlight the need for other Covered Entities and their business associates to ensure all necessary steps are taken to protect PHI when disposing of any items, devices and data containing PHI from patient labeled items including identification bracelets, medication containers and labels, meal trays, folders, tags, storage containers, computers, copiers, jump drives and other electronic storage or other devices and plethora of other items. The announcement of the NEDLC settlement signals the advisability for Covered Entities and their business associates to reassess and reconfirm the adequacy of their own disposal processes and documentation.

Security and disposal practices and procedures are among the elements of HIPAA compliance that OCR expects Covered Entities to address in the documented risk assessments the regulations require Covered Entities to prepare and maintain. See $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis. As with other HIPAA compliance responsibilities, OCR regulations require that Covered Entities include their documented assessment and decision-making about the adequacy and reasonableness of their PHI protection and destruction practices under HIPAA as part of their overall HIPAA risk assessment plan and practices. The documented risk assessment requirements make it ill-advised for Covered Entities or business associates to assume their disposal or other HIPAA compliance obligations are satisfied by their past or current adoption of a standard set of policies and procedures obtained from a third-party.

When reviewing the adequacy of their organizations’ PHI disposal practices, Covered Entities and business associates should keep in mind OCR’s HIPAA regulations require them to document risk assessments, analysis, findings and actions as well as recurrently update this analysis periodically and at other times when warranted by events or developments putting the organizations on notice of potential concerns. These risk assessment requirements expect Covered Entities and business associates to conduct documented reviews and risk assessments “of their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and develop and implement policies and procedures to carry out those steps” considering such issues as the form, type, and amount of PHI to be disposed. Covered entities are responsible for conducting and documenting their analysis as well as their adoption, implementation and enforcement of the resulting policies and procedures. HIPAA’s six-year record retention requirements extend to creation and preservation of the risk assessment documentation by a Covered Entity or business associate and OCR commonly asks for these assessment when initiating an audit or investigation. Accordingly, while organizations should consider examples discussed in OCR’s PHI destruction guidance when conducting their own risk announcement, each Covered Entity or business associate should resist the temptation of assuming reliance upon those examples is an adequate substitute for conducting and documenting their own specific risk assessment and analysis.

Best practices require tracking of all elements of PHI created, used, accessed, disclosed, or disposed of all times through documented, appropriate destruction. Ensuring proper fulfillment of these requirements necessitates that these policies and practices cover both disposition or destruction as part of continuing operations as well as required safeguards for disposal or destruction when a Covered Entity or business associate shuts down, sells or otherwise terminates operations that possess or have had access to PHI.

Of course, Covered Entities, business associates, their leaders and liability insurers also should remain mindful that their likely responsibilities and potential liability for mishandling PHI generally also runs concurrent with other contractual, statutory, regulatory or common law exposures. For instance, as HIPAA compliance is part of the Conditions of Participation that Medicare participating Covered Entities and Medicare Advantage Plans must meet to qualify for program participation, noncompliance could trigger program exclusion, False Claims Act or related exposures. Deficiencies in security or destruction of credit card, banking or other PHI that also qualifies as personal financial information could trigger exposure under Federal Trade Commission, state identity theft and privacy or other laws. Public companies and their leaders also may need to evaluate if deficiencies in their security or destruction protocols trigger investor disclosure obligations under Securities and Exchange Commission rules or other federal or state laws. Considering these and other exposures, documented, compliance and defensibility of PHI and other sensitive information use, protection, disclosure and destruction should rank high among the priorities of all Covered Entities and their leaders.

Since these evaluations could uncover or involve discussions of past or ongoing known or potential compliance concerns, Covered Entities and business associates should consider engaging legal counsel experienced with compliance and risk management under HIPAA and other implicated legal risks to advise and aid the Covered Entity to structure, conduct, evaluate findings and determine and implement any corrective actions that the review reveals as required or advisable within the scope of attorney client privilege. If circumstances come to light that indicate a breach of the standards in the course of the disposal compliance assessment or otherwise, Covered Entities also promptly should work with legal counsel timely to investigate, determine and provide any required notifications or other corrective action and document their actions to meet applicable HIPAA and other legal obligations and mitigate liability.

More Information

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Comments Off on $300,000+ Settlement Warns Health Plans, Other Covered Entities To Ensure Proper PHI Disposal | Corporate Compliance | Tagged: Data Privacy, Data Security, Health Insurer, Health Plan, HIPAA, medical records, PHI, plan records | Permalink
Posted by Cynthia Marcotte Stamer

Record $16M Anthem HIPAA Settlement Signals Need to Tighten Your Health Plan HIPAA Compliance & Risk Management

October 16, 2018

Health plans, their employer and other sponsors and fiduciaries, health insurers, health care providers, health care clearinghouses and their business associates should study and learn from the just announced, record-setting $16 million resolution agreement between health insurance giant, Anthem, Inc., to resolve Department of Health & Human Services Office of Civil Rights (OCR) charges that Anthem, Inc.’s violations of the Health Insurance Portability & Accountability Act (HIPAA) Privacy and Security Rules exposed the electronic protected health information (ePHI) of almost 79 million people. In addition to reviewing the adequacy of their own HIPAA privacy and security practices, health plans, their employer and union sponsors and fiduciaries also should consider assessing the advisability of tightening their business associate and other agreements with health insurers, third party administrative services providers and other vendors in light of the resolution agreement and experiences arising out of the Anthem breach to better position themselves to assess and enforce HIPAA compliance, receive notice and respond in the event of an insurer or other vendor breach and mitigate financial costs and liabilities resulting from breaches or other compliance deficiencies.

Anthem’s Record Setting HIPAA Breach & Resolution Agreement

The settlement agreement announced October 15, 2018 by OCR requires Anthem, Inc. to pay a $16 million resolution payment to OCR and take a series of corrective actions to resolve HIPAA liabilities to OCR for allowing the largest known U.S. health data breach in history in 2015. The record $16 million resolution payment eclipses the prior record resolution payment of $5.55 million Memorial Healthcare System (MHS) paid OCR to settle HIPAA charges in 2016. Moreover, the $16 million resolution payment it’s just a small portion of the amount that Anthem has been required to shell out as a consequence of the breach. In addition to the $16 million paid under the OCR resolution agreement, anthem already has paid more than $115 million to settle lawsuits arising out of the breach under other laws.

An independent licensee of the Blue Cross and Blue Shield Association and one of the nation’s largest health benefits companies, Anthem provides medical care coverage to one in eight Americans through its affiliated health plans. The breach that resulted in the settlement agreement affected ePHI Anthem maintained for its affiliated health plans including many employer or union sponsored self-insured and insured group health plans and other HIPAA-covered entity health plans.

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights that disclosed that Anthem discovered on January 29, 2015 that cyber-attackers had gained access to and engaged in continuous and targeted cyberattack on Anthem’s IT system for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. After filing its breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

In addition to the consequences for the millions of individuals whose ePHI was disclosed through the breach, the breach also triggered responsibilities and concerns for fiduciaries and sponsors of the employer and union-sponsored group health plans administered or insured by Anthem. Sponsors and fiduciaries of private sector employer or union sponsored plans struggled to obtain information and cooperation from Anthem necessary to evaluate and fulfill their health plans’ HIPAA obligations as well as the fiduciary responsibility requirements of the Employee Retirement Income Security Act (ERISA).

In addition to the $16 million settlement that Anthem is paying to resolve OCR’s HIPAA charges stemming from the breach, the OCR settlement agreement also requires Anthem to undertake a robust corrective action plan to comply with the HIPAA Rules.

Health Plans, Sponsors, Fiduciaries & Vendors Should Act To Manage Compliance & Risks

Unquestionably, other health insurers, employer, union and association sponsored group health plans, and their vendors and business associates should evaluate the adequacy and defensibility of their own health plan privacy and security practices in light of the Anthem breach and resolution agreement. In addition, employer, union or association health plan sponsors, administrative service providers and fiduciaries also should consider the advisability of strengthening their business associate agreements with insurers, third party administrators and other health plan service providers to incorporate safeguards, audit, oversight or other provisions and practices to help prudently monitor potential risks and improve their ability to receive timely notice, respond to, and preserve rights of recourse against insurers or other vendors in the event of a breach or other deficiency.

About The Author

A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C, Cynthia Marcotte Stamer’s more than 30 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

Board certified in labor and employment law by the Texas Board of Legal Specialization, a Fellow in the American College of Employee Benefit Counsel, Scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits (JCEB) Annual Agency Meeting with the Office of Civil Rights and a former JCEB Council Representative; former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group; and past Chair, former Welfare Benefit Committee Co-Chair and current Fiduciary Responsibility Committee Co-Chair of the American Bar Association (ABA) RPTE Section Employee Benefits Group, former Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, Ms. Stamer is recognized nationally and internationally for her practical and creative insights and leadership on HIPAA and other health care, managed care and insurance, and other employee benefit, human resources, and related antitrust, corporate, privacy and data security, tax and other internal controls, regulatory affairs and public policy concerns.

Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international health, insurance and financial security, and other businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

In this respect, Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, regulatory compliance and operational and performance management. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes.

As a key part of this work, Ms. Stamer uses her deep and highly specialized health, insurance, labor and employment and other knowledge and experience to help health industry, insurance and financial services and other employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compliance and internal controls, risk management, human resources and other workforce performance, discipline, compensation, employee benefits and related programs, products and arrangements.

In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Ms. Stamer also is deeply involved in helping to influence the health care, workforce, insurance and financial services, employee benefit, privacy and data security and other federal, state and local laws, regulations and enforcement actions. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas. She also works as a policy advisor and advocate to health, insurance and financial services, employee benefits and other business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer also is a highly sought out speaker and industry thought leader known for empowering audiences and readers. Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications. Ms. Stamer also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, ALIABA, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Ms. Stamer also has a lifelong history of involvement with and service with a diverse range of professional, community and charitable organizations and causes including as founder and Executive Director of the Coalition for Responsible Health Care Policy and its PROJECT COPE: Coalition for Patient Empowerment; technical advisor to the National Physicians’ Council for Health Care Policy; a founding Board Member and President of the Alliance for Healthcare Excellence and its Patient Empowerment and Health Care Heroes Projects; a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; a member of the Dallas United Way Long Range Planning Committee; as well as leadership involvement in the ABA Joint Committee on Employee Benefits Council, the North Texas Healthcare Compliance Professionals Association; the ABA RPTE Employee Benefits & Other Compensation Committee, the ABA Health Law Section, the ABA International Section Life Sciences Committee, and the ABA TIPS Employee Benefit Committee; TEGE Coordinator of the Gulf Coast TEGE Council TE Division; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association; Dallas, Regional and State BACPAC Chair of the Texas Association of Business; SHRM Regional Chair and National Advisory Board Chair; WEB Network of Benefits Professionals National and Dallas Boards; as a contributing author and the Advisory Board member of the BNA EBCD CD, InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications and as chair or planning faculty of a multitude of symposia.. For additional information about Ms. Stamer, see www.cynthiastamer.com, or contact Ms. Stamer via email here or via telephone to (214) 452.8297.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:

Comments Off on Record $16M Anthem HIPAA Settlement Signals Need to Tighten Your Health Plan HIPAA Compliance & Risk Management | Association Health Plan, Employer, Employers, health plan, Health Plans, HIPAA, Privacy, Uncategorized | Tagged: Health Insurance, Health Insurer, Health Plan, media, news, OCR, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Latest HIPAA Resolution Agreement Drives Home Importance Of Maintaining Current, Signed Business Associate Agreements

April 24, 2017

Health plans, their fiduciaries and sponsors, health insurers, health care providers, health care clearinghouses (“covered entities”) and their business associates must get and keep your business associate (BA) agreements (BAAs) in place, up-to-date, and readily available for inspection in accordance with the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule, 45 C.F.R. Part 160 and Subparts A and E of Part 164 (Privacy Rule). That’s the clear message to covered entities and their business associates in the April 17, 2017 HIPAA Resolution Agreement just announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) with the Center for Children’s Digestive Health (CCDH).

While the Resolution Agreement relates to breaches of the BAA requirements of a small pediatric practice, all health plans, health care providers and other covered entities and business associates should focus on the adequacy of their BAAs and their BAA record keeping. HIPAA compliance surveys reflect deficiencies with the BAA rules are common throughout the industry. These findings and the involvement of BAs in data breaches or other OCR enforcement activities suggest a high probability that many other covered entities and business associates may be sitting ducks for similar sanctions. See e.g., HIPAA Compliance Survey Churns Up Many Business Associate Problems (January 3, 2017). Consequently, all covered entities and business associates generally should treat the CCDH Resolution Agreement as a message to review and correct as necessary their organizations’ compliance and recordkeeping to minimize their exposure to potential sanctions from violations of the HIPAA business associate rules.

The HIPAA Business Associate Agreement Requirements

OCR’s announcement of the CCDH Resolution Agreement is the latest in a growing series of HIPAA enforcement actions showing the growing risk covered entities and their business associates face for failing to take appropriate steps to comply with the BAA and other Privacy Rule requirements of HIPAA.

As compliance audits and surveys of covered entities and business associates suggest a high level of noncompliance with the business associate agreement requirements among covered entities and business associates, While the ever-growing list of Resolution Agreements and Civil Monetary Penalties announced by OCR cover a variety of categories of HIPAA violations, the CCDH Resolution Agreement highlights the importance of covered entities and their business associates ensuring that before the BA creates, accesses, receives, discloses, retains or destroys any PHI for the covered entity, a BAA meeting the Privacy Rule requirements is signed and retained for at least the six-year period the Privacy Rule requires in a manner easily producible when and if OCR or another agency asks for a copy as part of an investigation or other compliance audit. See Privacy Rule §§ 164.502(e), 164.504(e), 164.532(d) and (e).

The Privacy Rule requires that covered entities and business associates enter into a written and signed business associate agreement that contains the elements specified in Privacy Rule § 164.504(e) before the business associate creates, uses, accesses or discloses PHI of the covered entity. Meanwhile, the Privacy Rule recordkeeping requirements require that covered entities and BAs maintain copies of these BAAs for a minimum of six years.

Violations of the Privacy Rule can carry stiff civil or even criminal penalties Pursuant to amendments to HIPAA enacted as part of the HITECH Act, civil penalties typically do not apply to violations punished under the criminal penalty rules of HIPAA set forth in Social Security Act , 42 U.S.C § 1320d-6 (Section 1177).

Under Section 1177, the criminal enforcement provisions of HIPAA authorize the Justice Department to prosecute a person who knowingly in violation of the Privacy Rule (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, punishable by the following criminal sanctions and penalties:

A fine of up to $50,000, imprisoned not more than 1 year, or both;
If the offense is committed under false pretenses, a fine of up to $100,000, imprisonment of not more than 5 years, or both; and
If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of up to $250,000, imprisoned not more than 10 years, or both.

In contrast, as amended by the HITECH Act, the civil enforcement provisions of HIPAA empower OCR to impose Civil Monetary Penalties on both covered entities and BAs for violations of any of the requirements of the Privacy or Security Rules. The penalty ranges for civil violations depends upon the circumstances associated with the violations and are subject to upward adjustment for inflation. As most recently adjusted here effective September 6, 2016, the following currently are the progressively increasing Civil Monetary Penalty tiers:

A minimum penalty of $100 and a maximum penalty of $50,000 per violation, for violations which the CE or BA “did not know, and by exercising reasonable diligence would not have known” about using “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances;”
A minimum penalty of $1,000 and a maximum penalty of $50,000 per violation, for violations for “reasonable cause” which do not rise to the level of “willful neglect” where “reasonable cause” means the “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the violated Privacy Rule requirement;”
A minimum penalty of $10,000 and a maximum penalty of $50,000 per violation, for violations attributed to “willful neglect,” defined as “the conscious, intentional failure or reckless indifference to the obligation to comply” with the requirement or prohibition; and
A minimum penalty of $50,000 and a maximum penalty of $1.5 million per violation, for violations attributed to “willful neglect” not remedied within 30 days of the date that the covered entity or BA knew or should have known of the violation.

For continuing violations such as failing to implement a required BAA, OCR can treat each day of noncompliance as a separate violation. However, sanctions under each of these tiers generally are subject to a maximum penalty of $1,500,000 for violations of identical requirements or prohibitions during a calendar year. For violations such as the failure to implement and maintain a required BAA where more than one covered entity bears responsibility for the violation, OCR an impose Civil Monetary Penalties against each culpable party. OCR considers a variety of mitigating and aggravating facts and circumstances when arriving at the amount of the penalty within each of these applicable tiers to impose.

While criminal enforcement of HIPAA remains relatively rare, a review of the OCR enforcement record in recent years makes clear that civil enforcement of HIPAA and the sanctions imposed is growing. See e.g., $400K HIPAA Settlement Shows Need To Conduct Timely & Appropriate Risk Assessments; $5.5M Memorial HIPAA Resolution Agreement Shows Need To Audit. For more examples, also see here.

CCDH Sanctions For Violation Of HIPAA Business Associate Agreement Rules

The CCDH Resolution Agreement arises from violations of this requirement that OCR says it discovered as a result of a compliance review conducted in response to an OCR investigation of a CCDH business associate, FileFax, Inc. According to OCR, OCR found from the compliance review of CCDH triggered by OCR’s investigation of FileFax that while CCDH began disclosing PHI to Filefax in 2003 and that Filefax stored records containing protected health information (PHI) for CCDH, neither CCDH nor Filefax could produce a signed Business Associate Agreement (BAA) covering their relationship for any period before October 12, 2015.

Based on the resulting investigation, OCR concluded:

CCDH failed to obtain a BAA providing written assurances from Filefax that it would appropriately safeguard the PHI in Filefax’s possession or control satisfactory assurances as required by Privacy Rule §164.502(e); and
Because CCDH failed to secure the required BAA, it violated the Privacy Rule by impermissibly disclosing the PHI of at least 10,728 individuals to Filefax when CCDH transferred the PHI to Filefax without obtaining the requisite BAA from Filefax (Covered Conduct).

In the Resolution Agreement, CCDH agrees to pay HHS $31,000.00 (Resolution Amount) and enter into and comply with a Corrective Action Plan (CAP) in return for OCR’s release of CCDH from liability for “any actions it may have against CCDH under the HIPAA Rules” for the Covered Conduct. The Resolution Agreement only settles the civil monetary penalty and other OCR enforcement liabilities of CCDH with respect to the Covered Conduct. Its provisions expressly state the Resolution Agreement does not affect any exposures of CCDH to CCDH to OCR civil monetary penalties or other enforcement for any HIPAA violations other than the Covered Conduct.

Perhaps even more noteworthy given the HITECH Act’s provisions coordinating the civil and criminal sanctions of HIPAA, while the Resolution Agreement provides no clear indication that the Justice Department might be considering criminally prosecuting CCDH or any other party in relation to the Covered Conduct, the Resolution Agreement also expressly states that its provisions do not affect CCDH’s potential exposure, if any, to criminal prosecution by the Justice Department for a criminal violation of the Privacy Rules under Section 1177 of the Social Security Act.

Implications For Covered Entities & Business Associates

Covered entities and their business associates should heed the CCDH Resolution Agreement as a strong message from OCR to ensure their organizations are complying with HIPAA’s BAA and other requirements. The Resolution Agreement makes clear that the starting point of this compliance effort must be obtaining and maintaining the requisite BAAs for each BA relationship.

To position their organizations to withstand potential investigation by OCR, covered entities and BAs should start by conducting a well-documented audit within the scope of attorney-client privilege both to verify that an appropriate, signed BAA is in place for each BA relationship as well as adequacy of processes for identifying business associate relationships, ensuring that signed BAAs are in effect before BAs access any PHI, and for investigating, reporting and resolving any breaches of the HIPAA Privacy or Security Rules that may arise in the course of operations.

Conducting this audit as soon as possible is particularly important in light of reported findings of widespread compliance concerns. See HIPAA Compliance Survey Churns Up Many Business Associate Problems (January 3, 2017). As the audit process could identify potential violations or other legally sensitive concerns, covered entities and business associates generally will want to arrange for this audit and evaluation to be conducted under the supervision of legal counsel experienced with HIPAA within or pursuant to processes structured with the assistance of legal counsel within the scope of attorney-client privilege.

Beyond confirming all necessary BAAs are in place, covered entities and business associates also generally will want to evaluate the adequacy of BAs’ processes and procedures for maintaining compliance with the Privacy and Security Rules as well as processes and procedures for responding to audits, investigations and complaints, reporting and addressing breaches of electronic and other PHI and other possible compliance concerns under HIPAA and other related laws. In many instances, parties may n wish to revise and strengthen existing BAAs to more specifically define these policies and procedures more specifically as well as indemnification, cyber or other liability coverage requirements and other contractual provisions for allocating potential costs and liabilities arising from breaches, audits, investigations and other expenses associated with the administration of these provisions.

About The Author

Recognized by LexisNexis® Martindale-Hubbell® as a “AV-Preeminent” (Top 1%/ the highest) and “Top Rated Lawyer,” with special recognition as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Health Care,” “Labor & Employment,” “Tax: Erisa & Employee Benefits” and “Business and Commercial Law” by D Magazine, the author of this update is widely known for her 29 plus years’ of work in health care, health benefit, health policy and regulatory affairs and other health industry concerns as a practicing attorney and management consultant, thought leader, author, public policy advocate and lecturer.

Throughout her adult life and nearly 30-year legal career, Ms. Stamer’s legal, management and governmental affairs work has focused on helping health industry, health benefit and other organizations and their management use the law, performance and risk management tools and process to manage people, performance, quality, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer supports these organizations and their leaders on both a real-time, “on demand” basis as well as outsourced operations or special counsel on an interim, special project, or ongoing basis with strategic planning and product and services development and innovation; workforce and operations management, crisis preparedness and response as well as to prevent, stabilize and cleanup legal and operational crises large and small that arise in the course of operations.

As a core component of her work, Ms. Stamer has worked extensively throughout her career with health care providers, health plans and insurers, managed care organizations, health care clearinghouses, their business associates, employers, banks and other financial institutions, management services organizations, professional associations, medical staffs, accreditation agencies, auditors, technology and other vendors and service providers, and others on legal and operational compliance, risk management and compliance, public policies and regulatory affairs, contracting, payer-provider, provider-provider, vendor, patient, governmental and community relations and matters including extensive involvement advising, representing and defending public and private hospitals and health care systems; physicians, physician organizations and medical staffs; specialty clinics and pharmacies; skilled nursing, home health, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing and management services organizations; consultants; investors; technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, insurers, self-insured health plans and other payers; and other health industry clients to manage and defend compliance, public policy, regulatory, staffing and other operations and risk management concerns. A core focus of this work includes work to establish and administer compliance and risk management policies; comply with requirements, investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; dealings with JCHO and other accreditation and quality organizations; investigation and defense of private litigation and other federal and state health care industry investigations and enforcement; insurance or other liability management and allocation; process and product development; managed care, physician and other staffing, business associate and other contracting; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

In the course of this work, Ms. Stamer has accumulated extensive experience helping health industry clients manage workforce, medical staff, vendors and suppliers, medical billing, reimbursement, claims and other provider-payer relations, business partners, and their recruitment, performance, discipline, compliance, safety, compensation, benefits, and training, board, medical staff and other governance; compliance and internal controls; strategic planning, process and quality improvement; change management; assess, deter, investigate and address staffing, quality, compliance and other performance; meaningful use, EMR, HIPAA and other data security and breach and other health IT and data; crisis preparedness and response; internal, government and third-party reporting, audits, investigations and enforcement; government affairs and public policy; and other compliance and risk management, government and regulatory affairs and operations concerns.

Author of leading works on HIPAA and other privacy and data security works and the scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with OCR, her experience includes extensive compliance, risk management and data breach and other crisis event investigation, response and remediation under HIPAA and other laws.

The American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, former Vice President of the North Texas Health Care Compliance Professionals Association, past Chair of the ABA Health Law Section Managed Care & Insurance Section, past ABA JCEB Council Representative, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has worked closely with a diverse range of physicians, hospitals and healthcare systems, DME, Pharma, clinics, health care providers, managed care, insurance and other health care payers, quality assurance, credentialing, technical, research, public and private social and community organizations, and other health industry organizations and their management deal with governance; credentialing, patient relations and care; staffing, peer review, human resources and workforce performance management; outsourcing; internal controls and regulatory compliance; billing and reimbursement; physician, employment, vendor, managed care, government and other contracting; business transactions; grants; tax-exemption and not-for-profit; licensure and accreditation; vendor selection and management; privacy and data security; training; risk and change management; regulatory affairs and public policy and other concerns.

Past Chair of the ABA Managed Care & Insurance Interest Group and, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also has extensive health care reimbursement and insurance experience advising and defending health care providers, payers, and others about Medicare, Medicaid, Medicare and Medicaid Advantage, Tri-Care, self-insured group, association, individual and group and other health benefit programs and coverages including but not limited to advising public and private payers about coverage and program design and documentation, advising and defending providers, payers and systems and billing services entities about systems and process design, audits, and other processes; provider credentialing, and contracting; providers and payer billing, reimbursement, claims audits, denials and appeals, coverage coordination, reporting, direct contracting, False Claims Act, Medicare & Medicaid, ERISA, state Prompt Pay, out-of-network and other nonpar, insured, and other health care claims, prepayment, post-payment and other coverage, claims denials, appeals, billing and fraud investigations and actions and other reimbursement and payment related investigation, enforcement, litigation and actions.

Heavily involved in health care and health information technology, data and related process and systems development, policy and operations innovation and a Scribe for ABA JCEB annual agency meeting with OCR for many years who has authored numerous highly-regarded works and training programs on HIPAA and other data security, privacy and use, Ms. Stamer also is widely recognized for her extensive work and leadership on leading edge health care and benefit policy and operational issues including meaningful use and EMR, billing and reimbursement, quality measurement and reimbursement, HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and many other concerns.

In connection with this work, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.

Her work includes both regulatory and public policy advocacy and thought leadership, as well as advising and representing a broad range of health industry and other clients about policy design, drafting, administration, business associate and other contracting, risk assessments, audits and other risk prevention and mitigation, investigation, reporting, mitigation and resolution of known or suspected violations or other incidents and responding to and defending investigations or other actions by plaintiffs, DOJ, OCR, FTC, state attorneys’ general and other federal or state agencies, other business partners, patients and others.

In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, MGMA, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A former lead consultant to the Government of Bolivia on its Pension Privatization Project with extensive domestic and international public policy concerns in Pensions, healthcare, workforce, immigration, tax, education and other areas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other related concerns by her service in the leadership of the Solutions Law Press, Inc. Coalition for Responsible Health Policy, its PROJECT COPE: Coalition on Patient Empowerment, and a broad range of other professional and civic organizations including North Texas Healthcare Compliance Association, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children (now Warren Center For Children); current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, past Representative and chair of various committees of ABA Joint Committee on Employee Benefits; a ABA Health Law Coordinating Council representative, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposium and chair, faculty member and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, Insurance Thought Leadership and many other prominent publications and speaks and conducts training for a broad range of professional organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press, Inc.™

©2017 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved. For information about republication or other use, please contact Ms. Stamer here.

Comments Off on Latest HIPAA Resolution Agreement Drives Home Importance Of Maintaining Current, Signed Business Associate Agreements | ARRA, Attorney-Client Privilege, Cafeteria Plans, church plan, Civil Monetary Penalties, Civil Rights, Claims, Consumer Protection, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, employee, Employee Benefits, Employer, Employers, Employment, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Patient Empowerment, Physician, Plan Admistrator, Privacy, Professional Liability, Protected Health Information, Provider, Risk Management, Uncategorized | Tagged: Business Associate, Health Care, Health Insurer, Health Plans, HIPAA, HIPAA OCR, HIPAA Privacy, HITECH, Insurer, Technology, tpa | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans & Other HIPAA Entities Should Learn From $2.75M UMMC HIPAA Settlement

July 28, 2016

Employers, insurers and other health plan sponsors or issuers (health plans), health care providers, healthcare clearinghouses (covered entities) and their business associates should reevaluate the adequacy of their practices and procedures for the protection of electronic protected health information (ePHI) on or accessible through laptops or other mobile devices in light of the $2.75 million penalty and other schooling the Department of Health and Human Services Office for Civil Rights (OCR) just gave the University of Mississippi (UM) Medical Center (UMMC) documented in a July 7, 2016 Resolution Agreement and Corrective Action Plan (Resolution Agreement) resolving OCR charges of multiple violations of the privacy, security and breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA) OCR says it uncovered while investigating UMMC’s breach notification report to OCR of the loss a laptop containing 328 files containing the ePHI of an estimated 10,000 patients.

UMMC Report of Missing Laptop Leads To Multiple Charges & Resolution Agreement

Mississippi’s sole public academic health science center, UMMC provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the State as well as conducts medical education and research functions. Its designated health care component, UMMC, includes University Hospital, the site of the breach in this case, located on the main UMMC campus in Jackson.

The settlement agreed to by UMMC stems from charges resulting from an OCR investigation of UMMC triggered by a breach of unsecured electronic protected health information (“ePHI”) affecting approximately 10,000 individuals.

Like many prior resolution agreements previously announced by OCR, UMMC’s HIPAA woes came to light after a laptop went missing. OCR learned of the breach and opened its investigation in response to a March 21, 2013 notification UMMC filed with OCR. UMMC made the breach notification to comply with HIPAA’s Breach Notification Rule requirement that health care providers, health plans and healthcare clearinghouses (Covered Entities) timely notify affected individuals, OCR and others of breaches of unsecured ePHI.

UMMC’s breach notification disclosed that UMMC’s privacy officer had discovered a password-protected laptop containing ePHI of thousands of UMMC patients missing from UMMC’s Medical Intensive Care Unit (MICU). UMMC additionally reported that based on its investigation, UMMC believed that the missing laptop likely was stolen by a visitor to the MICU who had inquired about borrowing one of the laptops.

After discovering the loss, UMMC disclosed the breach to local media and on its website and notified OCR of the breach but apparently did not individually notify the subjects of the missing ePHI.

In keeping with its announced policy of investigating all breach reports impacting 500 or more individuals, OCR opened an investigation into UMMC’s breach report. Based on this investigation, OCR concluded that while the laptop apparently was password protected, UMMC had breached the Security Rules because ePHI stored on a UMMC network drive was vulnerable to unauthorized access via UMMC’s wireless network because users could use a generic username and password to access an active directory containing 67,000 files including 328 files containing the ePHI of an estimated 10,000 patients.

While OCR’s investigation confirmed that UMMC had implemented policies and procedures pursuant to the HIPAA Rules, OCR’s additionally found that the theft of the laptop that prompted UMMC’s breach report resulted from broad deficiencies in UMMC’s implementation and administration of these policies and its practices.

Based on these findings, OCR charged UMMC with the following HIPAA violations:

From the compliance date of the Security Rule, April 20, 2005, through the settlement date, UMMC violated 45 C.F.R. §164.308(a)(1)(i) by failing to implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the ePHI it holds, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
From January 19, 2013, until March 1, 2014, UMMC violated 45 C.F.R. §164.310(c) by failing to implement physical safeguards for all workstations that access ePHI to restrict access to authorized users;
From the compliance date of the Security Rule, April 20, 2005, to March 14, 2013, UM violated 45 C.F.R. § 164.312 (a)(2)(i) by failing to assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI including, for example, allowing workforce members to access ePHI on a shared department network drive through a generic account, preventing UMMC from tracking which specific users were accessing ePHI; and
While UMMC provided notification on UMMC’s website and in local media outlets following the discovery of the reported breach of unsecured ePHI,, UMMC violated the Breach Notification Rule by failing to notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach.

Finally, OCR determined that UMMC was aware of risks and vulnerabilities to its systems as far back as April 2005, yet took no significant risk management activity until after the breach, due largely to organizational deficiencies and insufficient institutional oversight.

To resolve these charges, UMMC agrees in the Resolution Agreement to pay OCR $2.75 million and implement a comprehensive compliance plan which among other things, requires UMMC to conduct a sweeping review and correct its HIPAA privacy, security and breach notification policies and their implementation and administration to comply with HIPAA as well as implement and administer detailed management and OCR oversight and reporting processes over the implementation and administration of these procedures.

Lessons For Other Covered Entities From UMMC Resolution Agreement

The UMMC charges and Resolution Agreement contains several key lessons for other covered entities and their business associates, which OCR’s July 21, 2016 announcement warns other covered entities and business associates to heed..

Certainly, the $2.75 million settlement amount reaffirms that covered entities and their business associates risk substantial liability for failing to properly assess and protect the security of ePHI in accordance with HIPAA’s Privacy and Security Rule.

Furthermore, the charges and Resolution Agreement also adds a new twist to OCR’s now well established to stiffly sanction covered entities and their business associates that fail appropriately assess and address risks to the security of their ePHI on or accessible from laptops or other mobile devices. Through previous resolution agreements and guidance, OCR has made clear that it interprets the HIPAA Security Rule as generally requiring that covered entities and business associates encrypt all laptops or other mobile devices containing ePHI. The UMMC charges and Resolution Agreement makes clear that the responsibility to protect ePHI on or accessible through laptops or other mobile devices does not end with encryption. Rather, the Resolution Agreement makes clear that covered entities and their business associates also must take appropriate, well-documented steps to monitor, assess, identify, and timely and effectively address other potential risks to the security of the ePHI.

The Resolution Agreement makes clear that these additional responsibilities include, but are not necessarily limited to ensuring that proper safeguards are implemented and enforced to secure access not only to the ePHI contained on the laptop as well as other data bases and systems containing ePHI accessible through the laptop. In this respect, the Resolution Agreement particularly highlights the need for covered entities and their business associates to assess risks and take appropriate steps:

To safeguard the physical security of laptops and other mobile devices;
To prevent the use of generic or other unsecure passwords to access ePHI on or accessible through the laptop or other mobile device;
To establish and administer appropriate, well-documented processes for assessing and addressing the adequacy of safeguards for and potential threats to the security of ePHI both initially and on an ongoing basis in a manner that meaningfully assesses the actual risks and effectiveness of safeguards against these risks, including those resulting from nonadherence to required safeguards and practices such as the sharing of passwords, changing systems or circumstances, and other developments that potentially threaten the adequacy of ePHI security.

Furthermore, OCR’s July 21, 2016 press release concerning the Resolution Agreement also sends a clear message to all covered entities and business associates that OCR views HIPAA as requiring organizations not only to adopt written policies and procedures that comply on paper or in theory with HIPAA, but also to take steps to monitor and maintain the effectiveness of their safeguard by continuously assessing and monitoring their HIPAA risks and acting as necessary to ensure that required safeguards of protected health information and ePHI and other HIPAA requirements are effectively implemented and administered in operation as well as form.

In OCR’s Press Release announcing the Resolution Agreement, OCR Director Jocelyn Samuels. Stated, “We at OCR remain particularly concerned with unaddressed risks that may lead to impermissible access to ePHI.” She also warned “In addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame.”

Additionally, the Resolution Agreement also illustrates need for covered entities and business associates to timely provide all individual and other notifications and otherwise fully comply with all requirements of the Breach Notification Rules.

Since the risk of a breach is ever-present even for Covered Entities and business associates exercising the highest degree of care to safeguard PHI and maintain compliance with HIPAA, Covered Entities and business associates are wise to take steps to position themselves to be able to demonstrate the adequacy of both their written policies and procedures and the effectiveness of their implementation and enforcement including ongoing documented practices for assessing, monitoring and addressing security risks and other compliance concerns as well as prepare to comply with the breach notification requirements in the event they experience their own breach of unsecured ePHI.

About The Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.

Ms. Stamer’s health industry experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Ms. Stamer also is known for her experience in HIPAA and other privacy and data security and breach concerns. The scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

About Solutions Law Press Inc.™

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates like the following:

Go here to register to receive other Solutions Law Press, Inc. updates and announcements about other upcoming briefings, training or other programs, products, services, and activities or to learn more about Solutions Law Press, Inc., its publications, programs and training, PROJECT COPE: Coalition on Patient Empowerment community service and education projects, event management and other resources and services.

For important information concerning this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

Comments Off on Health Plans & Other HIPAA Entities Should Learn From $2.75M UMMC HIPAA Settlement | Civil Rights, Claims Administration, Consumer Protection, Corporate Compliance, corporate governance, Cybercrime, Data Breach, Data Security, employee, Employee Benefits, Employer, Employers, Employment, Employment Discrimination, ERISA, FACTA, GINA, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Mental Health Parity, Uncategorized | Tagged: Business Associate, Corporate Compliance, Data Breach, employee benefitsd, Employer, Health Insurance, Health Insurer, HIPAA, Insurance, Medical Privacy, OCR, Office of Civil Rights, Privacy, Protected Health Information | Permalink
Posted by Cynthia Marcotte Stamer

Employers, Insurers & TPAS: Budget Time, $ For 2017 Summary of Benefits and Coverage Updates

April 11, 2016

Group health plans and group and individual health insurers (Health Plans) must add updating their 2017 Summary of Benefits and Coverage (SBC) forms to their 2017 to do list in response to the publication by the Departments of Health and Human Services (HHS), Labor (DOL) and Treasury (collectively “Agencies) of enhanced content requirements for the 2017 Summary of Benefits and Coverage (SBC) template and Uniform Glossary that the Patient Protection & Affordable Care Act (ACA) requires Health Plans to provide to Health Plan members. Health Plans must begin using SBCs updated to comply with the 2017 SBC template released by the Agencies on April 6, 2016 beginning on the first day of the first open enrollment period that begins on or after April 1, 2017.

The ACA requires Health Plans to provide covered persons a brief (4 page) summary of what the plan covers and the plan’s cost sharing along with a comprehensive uniform glossary of commonly used health coverage and medical terms with the detailed content and format dictated by the Agencies SBC regulations. Intended to help covered persons understand and compare coverage options by providing standardized information in a standardized format about each plan, the SBC and Glossary must include all required content in the type and format dictated by the SBC regulations. In addition to ensuring that their SBC and Glossary meet these requirements, Health Plans also may need to prepare and offer translations of the SBC and Glossary to comply with the ACA’s “culturally and linguistically appropriate” requirements.

The current and 2017 SBC Template along with instructions for its preparation and completion, model translation documents for certain forms, and other information about the SBC requirements are available here.

Currently, the dictated SBC format includes coverage examples that demonstrate the cost sharing amounts an individual might be responsible for in three common medical situations. In addition to the current coverage examples that address diabetes care and childbirth, the updated template for 2017 also will require a new coverage example that addresses coverage for a foot fracture so that a consumer understands what a plan covers in an emergency scenario.

Beyond dictating the emergency example, the 2017 templates also expand the information about cost sharing that SBCs much contain to include enhanced language to explain deductibles and a requirement that plans address individual and overall out-of-pocket limits in the SBC.

While the Agencies regulations dictate the required content, health insurers and employers or others serving as health plan administrators or sponsors need to use care to ensure that SBCs are prepared appropriately and provided when and how required. Failure to timely deliver the SBC not only can trigger penalties under ERISA against the plan administrator and/or against the insurer under the ACA market reform rules, noncompliance with the SBC requirements also is among the listed ACA compliance defects that can expose the sponsoring employer to excise tax penalties under the Internal Revenue Code.

In order to fulfill this and other important ACA and other federal health plan notice and reporting mandates, employer and other plan sponsors, administrators and fiduciaries generally must finalize their health plan design well in advance of the date the new health plan design is intended to take effect. The Agencies SBC regulations generally require that the SBC be provided before the first day of the enrollment period and that updated SBCs be provided whenever any material change in benefits or coverage is enacted after the delivery of the original SPB. The requirement to prepare and deliver the SBC is in addition to the current federal mandate that plan administrators provide written notice of material changes to a health plan at least 60 days before the effective date of the material change and a host of other health plan notice requirements imposed by federal law. Employers, insurers, third party administrators and health plan fiduciaries need to understand and make appropriate arrangements to ensure that these SBC and other notice and reporting requirements are timely and appropriately completed.

About The Author

A practicing attorney and Managing Shareholder of Cynthia Marcotte Stamer, P.C., Ms. Stamer’s more than 28 years’ of leading edge work as an practicing attorney, author, lecturer and industry and policy thought leader have resulted in her recognition as a “Top” attorney in employee benefits, labor and employment and health care law.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Cynthia Marcotte Stamer is a noted Texas-based management lawyer and consultant, author, lecturer and policy advocate, recognized as among the “Top Rated Labor & Employment Lawyers in Texas” by LexisNexis® Martindale-Hubbell® and as among the “Best Lawyers In Dallas” for her work in the field of “Tax: Erisa & Employee Benefits” and “Health Care” by D Magazine.

Ms. Stamer’s legal and management consulting work throughout her career has focused on helping organizations and their management use the law and process to manage people, process, compliance, operations and risk. Highly valued for her rare ability to find pragmatic client-centric solutions by combining her detailed legal and operational knowledge and experience with her talent for creative problem-solving, Ms. Stamer helps public and private, domestic and international businesses, governments, and other organizations and their leaders manage their employees, vendors and suppliers, and other workforce members, customers and other’ performance, compliance, compensation and benefits, operations, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and other legal and operational crises large and small that arise in the course of operations.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer helps management manage. Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce management operations and compliance. She supports her clients both on a real time, “on demand” basis and with longer term basis to deal with daily performance management and operations, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. Well-known for her extensive work with health care, insurance and other highly regulated entities on corporate compliance, internal controls and risk management, her clients range from highly regulated entities like employers, contractors and their employee benefit plans, their sponsors, management, administrators, insurers, fiduciaries and advisors, technology and data service providers, health care, managed care and insurance, financial services, government contractors and government entities, as well as retail, manufacturing, construction, consulting and a host of other domestic and international businesses of all types and sizes. Common engagements include internal and external workforce hiring, management, training, performance management, compliance and administration, discipline and termination, and other aspects of workforce management including employment and outsourced services contracting and enforcement, sentencing guidelines and other compliance plan, policy and program development, administration, and defense, performance management, wage and hour and other compensation and benefits, reengineering and other change management, internal controls, compliance and risk management, communications and training, worker classification, tax and payroll, investigations, crisis preparedness and response, government relations, safety, government contracting and audits, litigation and other enforcement, and other concerns.

A Fellow in the American College of Employee Benefit Counsel, Ms. Stamer uses her deep and highly specialized knowledge and experience to help employers and other employee benefit plan sponsors; health, pension and other employee benefit plans, their fiduciaries, administrators and service providers, insurers, and others design legally compliant, effective compensation, health and other welfare benefit and insurance, severance, pension and deferred compensation, private exchanges, cafeteria plan and other employee benefit, fringe benefit, salary and hourly compensation, bonus and other incentive compensation and related programs, products and arrangements. She is particularly recognized for her leading edge work, thought leadership and knowledgeable advice and representation on the design, documentation, administration, regulation and defense of a diverse range of self-insured and insured health and welfare benefit plans including private exchange and other health benefit choices, health care reimbursement and other “defined contribution” limited benefit, 24-hour and other occupational and non-occupational injury and accident, ex-patriate and medical tourism, onsite medical, wellness and other medical plans and insurance benefit programs as well as a diverse range of other qualified and nonqualified retirement and deferred compensation, severance and other employee benefits and compensation, insurance and savings plans, programs, products, services and activities. As a key element of this work, Ms. Stamer works closely with employer and other plan sponsors, insurance and financial services companies, plan fiduciaries, administrators, and vendors and others to design, administer and defend effective legally defensible employee benefits and compensation practices, programs, products and technology. She also continuously helps employers, insurers, administrative and other service providers, their officers, directors and others to manage fiduciary and other risks of sponsorship or involvement with these and other benefit and compensation arrangements and to defend and mitigate liability and other risks from benefit and liability claims including fiduciary, benefit and other claims, audits, and litigation brought by the Labor Department, IRS, HHS, participants and beneficiaries, service providers, and others. She also assists debtors, creditors, bankruptcy trustees and others assess, manage and resolve labor and employment, employee benefits and insurance, payroll and other compensation related concerns arising from reductions in force or other terminations, mergers, acquisitions, bankruptcies and other business transactions including extensive experience with multiple, high-profile large scale bankruptcies resulting in ERISA, tax, corporate and securities and other litigation or enforcement actions. In the course of this work, Ms. Stamer has accumulated an impressive resume of experience advising and representing clients on HIPAA and other privacy and data security concerns. The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights for several years, Ms. Stamer has worked extensively with health plans, health care providers, health care clearinghouses, their business associates, employer and other sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health plans, health insurers, health care providers, banking, technology and other vendors, and others. Beyond advising these and other clients on privacy and data security compliance, risk management, investigations and data breach response and remediation, Ms. Stamer also advises and represents clients on OCR and other HHS, Department of Labor, IRS, FTC, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She also is the author of numerous highly acclaimed publications, workshops and tools for HIPAA or other compliance including training programs on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

Ms. Stamer also is deeply involved in helping to influence the Affordable Care Act and other health care, pension, social security, workforce, insurance and other policies critical to the workforce, benefits, and compensation practices and other key aspects of a broad range of businesses and their operations. She both helps her clients respond to and resolve emerging regulations and laws, government investigations and enforcement actions and helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally. A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American Bar Foundation and State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting and other JCEB agency meetings. She also works as a policy advisor and advocate to many business, professional and civic organizations.

Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves on an American Bar Association (ABA) Joint Committee on Employee Benefits Council representative; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the ABA RPTE Employee Benefits & Other Compensation Committee, its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its incoming Defined Contribution Plan Committee Chair and Practice Management Vice Chair; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division; on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. She also previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early childhood development intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association. For additional information about Ms. Stamer, see here or contact Ms. Stamer directly by email here or by telephone at (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing other Solutions Law Press, Inc.™ resources at www.solutionslawpress.com such as:

Comments Off on Employers, Insurers & TPAS: Budget Time, $ For 2017 Summary of Benefits and Coverage Updates | ACA, Affordable Care Act, Employee Benefits, Employer, Employers, Employment, ERISA, Excise Taxes, Fiduciary Responsibility, health benefit, Health Benefits, Health Care Reform, health insurance, health insurance marketplace, health plan, Health Plans, health reform, HR, Human Resources, Insurance, insurers, Internal Controls, Internal Revenue Code, IRC, Patient Empowerment, Patient Protection & Affordable Care Act, Patient Protection and Affordable Care Act, Public Policy, Reporting & Disclosure, SBC, Uncategorized | Tagged: Affordable Care Act, disclosure, Employee Benefits, Employer, Employment, ERISA, Health Insurance, Health Insurer, Health Plans, Patient Protection & Affordable Care Act, SBC, Summary of Benefts and Coverage, tpa | Permalink
Posted by Cynthia Marcotte Stamer

New OCR Guidance Assigns More HIPAA Homework Health Plans, Providers, Business Associates and Employers

March 5, 2014

Think your health plan, health care organization, health care clearinghouse or their business associates has health care privacy covered? Think again.

A series of supplemental guidance issued by the Department of Health & Human Services Office of Civil Rights (OCR) in recent weeks is giving health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates even more to do in reviewing and updating their policies, practices and training for handing protected health information (PHI) beyond bringing their policies and practices into line with OCR’s restatement and update to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act since the Omnibus Final Rule took effect on March 26, 2013 and to have updated business associate agreements in place since September 23, 2013. Meanwhile, the Omnibus Final Rule generally has required business associates have updated business associate agreements in place and otherwise to have come into compliance with all of the applicable requirements of the Omnibus Final Rule since September 23, 2013. Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

HIPAA Privacy Rule and Sharing Information Related to Mental Health published on
Spanish Language Model Notices of Privacy Practices published on 2/13/14
CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports published on 2/3/14; and
Proposed Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS) published on 1/7/14.

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same. When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here. ©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on New OCR Guidance Assigns More HIPAA Homework Health Plans, Providers, Business Associates and Employers | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: Affordable Care Act, Business Associate, cost sharing, Data Security, group health plan, Health Insurance, Health Insurer, Health Plan, HIPAA, Insurer, OCR, Privacy | Permalink
Posted by Cynthia Marcotte Stamer

Agencies Clarify Applicability of ACA Out-Of-Pocket Versus Deductible Cost Sharing Limitations

March 4, 2014

Non-grandfathered self-insured and large group health plans must comply with the out-of-pocket limits in 2014 but pending further guidance are excused from the duty to comply with deductible limitations imposed by the cost-sharing limitations of the Patient Protection & Affordable Care Act (ACA) according to new guidance jointly published February 20, 2013 by the Departments of Labor (DOL), Health and Human Services (HHS), and the Treasury (collectively, the “Departments”) in “FAQS About Affordable Care Act Implementation (Part XII)” (hereafter, the “FAQ”). However, the FAQ includes a transitional rule that allows plans to apply separate out-of-pocket maximums to prescription drug coverage and other group health plan for 2014, to allow them time to adjust contracts in response to the requirement.

ACA Cost-Sharing Limits

Public Health Service (PHS) Act § 2707(b), as added by the ACA, requires a group health plan to ensure that any annual cost-sharing imposed under the plan does not exceed the limitations provided for under ACA §§1302(c)(1) and (c)(2). § 1302(c)(1) of ACA requires that group health plans limit out-of-pocket maximums while ACA § 1302(c)(2) limits deductibles for employer-sponsored plans.

ACA Deductible Limits

The FAQ clarifies that pending further guidance, self-insured group health plans and large group health plans currently are not generally required to comply with ACA’s deductible limitations. According to the FAQ, the Departments currently view the deductible limits as generally applicable only to non-grandfathered small group insurance coverage and qualified health plans offered in the small group market. Additionally, the FAQ notes that pursuant to ACA § 1302(c)(2)(C), small group market health insurance coverage may exceed the annual deductible limit if it cannot reasonably reach a given level of coverage (metal tier) without exceeding the deductible limit.

In contrast, the FAQ states about self-insured and large group health plans, the Departments intend to engage in future rule making to implement PHS Act § 2707(b) with respect to self-insured and large group health plans. However, the FAQ reports that the Departments continue to believe that only plans and issuers in the small group market are required to comply with the deductible limit described in ACA § 1302(c)(2).

The Departments invite interested parties to submit comments or other input relative to these deliberations no later than April 22, 2013 to e.ohpsca-2707.ebsa@dol.gov.

Until that rule making is promulgated and effective, however, the FAQ states that a self-insured or large group health plan can rely on the Departments’ stated intention to apply the deductible limits imposed by § 1302(c)(2) of the ACA only on plans and issuers in the small group market. Accordingly, only plans and issuers in the small group market currently must comply with the ACA deductible limitations pending further guidance.

ACA Annual Out-Of-Pocket Maximum

In contrast, the FAQ confirms that all non-exempt, non-grandfathered group health plans – including self-insured and large and small insured group health plans must comply with ACA’s annual limits on out-of-pocket maximums.

The FAQ reaffirms statements in the preamble to the HHS final regulation on standards related to essential health benefits that the Departments read PHS Act § 2707(b) as requiring all non-grandfathered group health plans subject to ACA to comply with the annual limitation on out-of-pocket maximums described in ACA § 1302(c)(1).

While stating all non-grandfathered non-exempt group health plans generally must comply with the out-of-pocket maximum rules, the Departments recognize in the FAQ that the use by many plans of multiple service providers to help administer benefits (such as one third-party administrator for major medical coverage, a separate pharmacy benefit manager, and a separate managed behavioral health organization) may create compliance challenges since separate plan service providers may impose different levels of out-of-pocket limitations and may use different

methods for crediting participants’ expenses against any out-of-pocket maximums. To allow plans time to implement the arrangements to adjust plans and coordinate communications, the FAQ states that only for the first plan year beginning on or after January 1, 2014, where a group health plan or group health insurance issuer uses more than one service provider to administer benefits that are subject to the annual limitation on out-of-pocket maximums under ACA §§ 2707(a) or 2707(b), the Departments will consider the annual limitation on out-of-pocket maximums to be satisfied if the following conditions are satisfied:

The plan complies with the requirements with respect to its major medical coverage (excluding, for example, prescription drug coverage and pediatric dental coverage);
To the extent the plan or any health insurance coverage includes an out-of-pocket maximum on coverage that does not consist solely of major medical coverage (for example, if a separate out-of-pocket maximum applies with respect to prescription drug coverage), such out-of-pocket maximum does not exceed the dollar amounts set forth in ACA § 1302(c)(1); and
The plan complies with existing regulations implementing Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) which prohibit a group health plan (or health insurance coverage offered in connection with a group health plan) from applying a cumulative financial requirement or treatment limitation, such as an out-of-pocket maximum, to mental health or substance use disorder benefits that accumulates separately from any such cumulative financial requirement or treatment limitation established for medical/surgical benefits.

Accordingly, while the FAQ generally allows plans using separate vendors to separately apply out-of-pocket maximums to prescription drug coverage from medical benefits generally, this is not allowed to be accomplished where the effect would be to impose an annual out-of-pocket maximum on all medical/surgical benefits and a separate annual out-of-pocket maximum on all mental health and substance use disorder benefits in violation of the MHPAEA.

The FAQ is one of many clarifications and other guidance implementing the ACA Rules. Compliance with these requirements as implemented is critical, as group health plans and insurers, their fiduciaries and sponsors face a myriad of exposures for violating these and other health plan rules. In the case of these and many other federal health plan rules, this includes an often overlooked obligation imposed under Internal Revenue Code § 6039D to self-identify, self-report and pay excises taxes under that provision in the event of a violation, as well as traditionally applicable ERISA exposures for violating federal benefit and coverage mandates. In light of these risks, health insurers, group health plan sponsors, fiduciaries and service providers are urged to act diligently to amend their plans and take other necessary arrangements to administer their programs in accordance with the applicable rules.

For Representation, Training & Other Resources

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Comments Off on Agencies Clarify Applicability of ACA Out-Of-Pocket Versus Deductible Cost Sharing Limitations | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: Affordable Care Act, cost sharing, group health plan, Health Insurance, Health Insurer, Health Plan, Insurer | Permalink
Posted by Cynthia Marcotte Stamer

IRS To Tax Health Insurers On Assessments To Cover ACA Section 9010 Annual Fee

December 10, 2013

The Internal Revenue Service (IRS) plans to tax insurers in the business of providing health insurance on individuals in the U.S. (Health Insurers) on amounts that the health insurer collects from policyholders to offset a new annual fee that the Patient Protection and Affordable Care Act (ACA) imposes on these insurers.

Section 9010 of ACA imposes an annual fee on insurers as part of its funding provisions. In response to this new obligation, Health Insurers generally are passing along all or part of the expense of paying the mandated annual fee on to customers through various means.

According to Internal Revenue Service guidance scheduled for official publication on December 16, 2013, the IRS will require Health Insurers to include amounts collected by the insurer to offset the annual fee cost in income for purposes of determining federal tax liability. Revenue Ruling 2013-27 says that the IRS will require a Health Insurer to include in its gross income amounts it collects from policyholders to offset the cost of the annual fee imposed under ACA Section 9010.

Health insurers will need to take into account that the IRS plans to tax the collected amounts when doing financial forecasting and to make proper arrangements to track, report and pay applicable taxes resulting from the collection of these amounts.

For Assistance or More Information

If you have questions or need help with these or 2014 health plan decision-making or preparation, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, HR.com, Insurance Thought Leadership, Solutions Law Press, Inc. and other publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations. She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications. Her widely respected publications and programs include more than 25 years of publications on health plan contracting, design, administration and risk management including a “Managed Care Contracting Guide” published by the American Health Lawyers Association and numerous other works on vendor contracting. You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Helpful Resources & Other Information

We hope that this information is useful to you. If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here . You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,” using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Recent examples of these publications include:

For important information about this communication click here.

Comments Off on IRS To Tax Health Insurers On Assessments To Cover ACA Section 9010 Annual Fee | Employee Benefits, Employers, Health Plans, HIPAA, Human Resources, Patient Protection and Affordable Care Act | Tagged: ACA, Affordable Care Act, Compensation, Employer, expense reimbursement, Fringe Benefits, health care reformhealth-plans, Health Insurer, health reform, Insurer, IRS 132, medical expense, Mileage, moving expense | Permalink
Posted by Cynthia Marcotte Stamer

CMS Publishes Proposed Consumer Disclosure Notices Detailing Required Health Insurer Rate Increase Justification Disclosures

March 7, 2011

The Centers for Medicare & Medicaid Services (CMS) on March 7, 2011 published proposed consumer disclosure notices that it proposes to require insurers proposing rate increases over 10 percent to electronically file in furtherance of CMS’ implementation of the Affordable Care Act premium rate review regulation published by HHS in December of 2010. The proposed consumer disclosure notices can be found here listed under “CMS-10379.”

Like the premium rate review regulation, the proposed notification requirements would apply to non-grandfathered group or individual insurance plans in the individual and small group markets.

Under the premium rate review regulation, rate increases by insurers for non-grandfathered group or individual health insurance plans that exceed a specified threshold amount are subject to review by either State insurance officials or HHS if the State does not have an effective process for reviewing rates. The proposed threshold for the first year is 10%. After 2011, a state-specific threshold will be set for disclosure of rate increases, using data and trends that better reflect cost trends particular to that state. According to CMS’, the review of rates under the rate review regulation could begin as early as July 2011.

CMS contemplates that the proposed consumer disclosure notices published March 7, 2011 will ‘help consumers know what their insurance companies are proposing while the rate increase requests are being reviewed. The notices would provide some basic information about health insurance rate increases and their review, as well as detailed information about the specific increase that an insurer has proposed. Consumers would also be able to see what the insurance company believes is driving the increase in premiums and how much of the increase would go to profits and administrative expenses. CMS intends to make the information provided by insurers in the notices available to consumers on CMS’ website. According to CMS, once rates begin being reviewed, HHS will work to post information on proposed rates as quickly as possible.

For Help Responding To Affordable Care Act or Other Health Plan Rules

The proposed premium rate review and associated consumer disclosure notice requirements are part of the rapidly evolving federal and state rules, court decisions, enforcement actions and other developments that require quick action by health plans, health insurers and their sponsors and administrators. If you need assistance in auditing or assessing, updating or defending your health plan or policies, documents, practices or conduct, or other labor and employment, employee benefit, compensation, privacy and data security, or other related practices, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469)767-8872.

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on Affordable Care Act and other health and other employee benefit, insurance, human resources and health care matters.

Nationally and internationally known for her leading edge work on health benefit and insurance matters, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters for more than 23 years. She also is recognized for her publications, industry leadership, workshops and presentations on health benefit reform and other related health and pension, human resources, insurance, privacy and health care concerns. She also regularly conducts training on these and other related matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

Comments Off on CMS Publishes Proposed Consumer Disclosure Notices Detailing Required Health Insurer Rate Increase Justification Disclosures | Affordable Care Act, Employers, Health Plans, Human Resources, Insurance, Patient Empowerment, Patient Protection and Affordable Care Act, Public Policy, Reporting & Disclosure | Tagged: Affordable Care Act, Consumer Disclosure Notices, Health Insurer, Health Plans, non-grandfathered plans, Premium Rate Review | Permalink
Posted by Cynthia Marcotte Stamer

Agencies Invite Public To Share Input About Insurer Obligation To Report About Health Premium Use Under Health Care Reform Law

April 14, 2010

April 15, 2010

By Cynthia Marcotte Stamer

The Departments of Treasury (IRS), Labor (DOL) and Health & Human Services (HHS) are inviting public comments in advance of future rulemaking on impending new federal requirements that will obligate health insurance issuers offering individual or group medical coverage to send annual reports to HHS on the percentages of premiums that the coverage spends on reimbursement for clinical services and activities that improve health care quality, and to provide rebates to enrollees if this spending does not meet minimum standards for a given plan year added as Section 2718 of the Public Health Service Act (PHS Act) by the Patient Protection and Affordable Care Act (PPACA), Public Law 111-148, enacted on March 23, 2010.

Among other things, the new requirements in Section 2718 of the PHS Act, Section 715 of the Employee Retirement Income Security Act of 1974 (ERISA) and Section 9815 of the Internal Revenue Code of 1986 (the Code) will require health insurance issuers offering group or individual coverage to report to HHS annually:

The ratio of the incurred loss (or incurred claims) plus the loss adjustment expense (or change in contract reserves) to earned premiums (also known as the medical loss ratio (MLR)); and
The percentage of total premium revenue–after accounting for collections or receipts for risk adjustment and risk corridors and payments of reinsurance–that the coverage spends: (1) on reimbursement for clinical services provided to enrollees; (2) for activities that improve health care quality; and (3) on all other non-claims costs, including an explanation of the nature of these costs, and excluding Federal and State taxes and licensing or regulatory fees.

PPACA also requires that HHS make these reports available to the public on the Internet Web site of HHS. To review the request for comments and its instructions for commenting on the new requirements, see here.

For Added Information or Assistance

If your organization need advice or help with these or other health benefit, labor and employment, employee benefits, compensation or related matters, consider contacting Cynthia Marcotte Stamer at (469) 767-8872 or via e-mail here.

Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization, Chair of the American Bar Association (ABA) Real Property, Probate & Trust Section Employee Benefits & Other Compensation Arrangements Group, a Council Member of the ABA Joint Committee On Employee Benefits Council, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, Vice President of the North Texas Health Care Compliance Professionals Association, and Exempt Organization Vice-Coordinator of the Southern States IRS TEGE Council, , Ms. Stamer has extensive experience advising and representing management about labor and employment, employee benefits, compensation and other related management matters. A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to receive future editions of our Solutions Law Press HR & Benefits Update distributions here. Examples of other recent updates that may be of interest include:

For important information about this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

Comments Off on Agencies Invite Public To Share Input About Insurer Obligation To Report About Health Premium Use Under Health Care Reform Law | Health Plans, Insurance | Tagged: Health Care Reform, Health Insurance Issuer, Health Insurer, Health Plans, Patient Protection and Affordable Care Act, PPACA | Permalink
Posted by Cynthia Marcotte Stamer

$300,000+ Settlement Warns Health Plans, Other Covered Entities To Ensure Proper PHI Disposal

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Record $16M Anthem HIPAA Settlement Signals Need to Tighten Your Health Plan HIPAA Compliance & Risk Management

Latest HIPAA Resolution Agreement Drives Home Importance Of Maintaining Current, Signed Business Associate Agreements

Health Plans & Other HIPAA Entities Should Learn From $2.75M UMMC HIPAA Settlement

Employers, Insurers & TPAS: Budget Time, $ For 2017 Summary of Benefits and Coverage Updates

IRS To Tax Health Insurers On Assessments To Cover ACA Section 9010 Annual Fee

CMS Publishes Proposed Consumer Disclosure Notices Detailing Required Health Insurer Rate Increase Justification Disclosures

Agencies Invite Public To Share Input About Insurer Obligation To Report About Health Premium Use Under Health Care Reform Law

Email Subscription

Pages

Recent Posts

Archives

Share this blog

Blogroll

Solutions Law

Solutions Law Press HR & Benefits Update