Another Large HIPAA Settlement Warns Health Plans & Other HIPAA Entities To Analyze & Manage Their Hacking & Other Data Susceptibilities

April 24, 2025

Conduct an appropriate risk analysis and take the required steps to protect your electronic health records from phishing and other hacking threats by conducting a thorough risk analysis and otherwise cleaning up your Health Insurance Portability and Accountability Act of 1996 compliance!  That’s the clear message to the Department of Health and Human Services Office of Civil Rights (“OCR”) warns health plans and insurers, health care providers, health care clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) to learn from the $600,000 HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) settlement with Southern California health care network PIH Health, Inc. (“PIH”) the Department of Health & Human Services Office of Civil Rights (“OCR”) announced on April 23, 2025 and the deluge of other ongoing hacking-related HIPAA investigations OCR still is working to resolve.

Phishing & Other Hacking Events Common Cause of Health Plan Breaches

Hacking incidents present a significant cybersecurity threat to health plans and other Regulated Entities’ electronic health and other data.  Phishing and other hacking attacks are among the most common types of large breaches reported to OCR every year. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. 

Phishing and other hacking-related breaches regularly result in OCR’s collection of high-dollar settlements and other costly enforcement actions against health plans and other Regulated Entities. See e.g., HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations (September 11, 2023); Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and UnitedHealthcare Insurance Company (August 24, 2023); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches (October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); nthem pays OCR $16 Million in record HIPAA settlement following largest health data breach in history (October 15, 2018).

The breach and enforcement actions are continuing in 2025. OCR already has announced numerous hacking-related settlements in the first quarter of 2025. See HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Public Hospital (April 17, 2025); HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with Northeast Radiology (April 4, 2025); HHS’ Office for Civil Rights Settles HIPAA Security Rule Investigation with Health Fitness Corporation (March 21, 2025); HHS Office for Civil Rights Imposes a $200,000 Penalty Against Oregon Health & Science University; HHS Office for Civil Rights Imposes a $1,500,000 Civil Money Penalty Against Warby Parker in HIPAA Cybersecurity Hacking Investigation (February 20, 2025); HHS Office for Civil Rights Settles HIPAA Phishing Cybersecurity Investigation with Solara Medical Supplies, LLC for $3,000,000 (January 14, 2025); HHS Office for Civil Rights Settles 9th Ransomware Investigation with Virtual Private Network Solutions (January 7, 2025).

Look for more of these enforcement actions to emerge soon. Between January 1 and April 23, 2025 alone, OCR received 161 hacking-related breach reports from Regulated Entities. OCR’s Breach Portal indicates that on April 23, 2025, OCR had a total of 554 open hacking-related breach investigations, 506 involving health care providers, 47 involving health plans, and one involving a health care clearinghouse.

Health plans and other Regulated Entities will want to take appropriate actions to avoid becoming subject to breaches subjecting them to these investigations and enforcement actions, particularly with OCR Acting Director Anthony Archeval warninghealth plans and other Regulated Entities:

Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]

Duty To Analyze & Manage Hacking & Other Susceptibilities

The HIPAA Privacy, Security, and Breach Notification Rules require Regulated Entities to take specific actions as warranted by their threat susceptibility to protect the privacy and security of electronic protected health information (“ePHI”) from hacking and other improper access, destruction, or disclosure. At the heart of these requirements is the requirement that health plans and other Regulated Entities conduct documented risk analyses of their assessment of the susceptibility information of their ePHI to hacking and other threats. As reflected in the following table of current HIPAA sanctions, violation of these HIPAA requirements exposes a Regulated Entity to significant civil monetary penalties or criminal sanctions.

The HIPAA Security Rule requires a Regulated Entity to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” Meanwhile, the HIPAA Breach Notification Rule requires in 45 CFR § 164.402 that a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. OCR interprets these Rules together also to require Regulated Entities experiencing a breach of ePHI or having evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach as triggering a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. Consequently, OCR constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA in its guidance and educational outreach, as well as by regularly discussing the requirement and role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

Despite OCR’s constant and ever-rising efforts to promote compliance with the Risk Analysis requirements, however, OCR consistently has found deficiencies in Regulated Entities’ Risk Analysis in its breach investigations and audit findings since these rules became effective. As the number and magnitude of reported breaches of ePHI skyrocketing and massive breaches like those experienced in 2024 by UnitedHealthcare subsidiary Change Health, Ascension and others demonstrating the serious consequences ransomware and other cyberattacks can inflict on health care delivery, payment, and patient privacy, OCR is placing new emphasis on tightening both the requirements for Risk Analysis and its enforcement of compliance with the Risk Analysis requirements.

Look for OCR both to continue zealously to enforce the Risk Analysis and other HIPAA Security Rule compliance and to tighten thesed requirements. On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. Prior to its announcement of the PIH settlement, OCR in recent months announced seven Risk Analysis Initiative settlements, including three in April. 

Breaches & Other Security Rule Violations Carry Substantial Liability Risks

TierCivil Penalties[1]Criminal Penalties
1Lack of Knowledge: $141 – $71,162 per violationReasonable Cause or No Knowledge of Violation: Up to 1 year imprisonment
2Reasonable Cause: $1,424 – $71,162 per violationPHI Obtained Under False Pretenses: Up to 5 years imprisonment
3Willful Neglect (corrected within 30 days): $14,232 – $71,162 per violationPHI Obtained for Personal Gain or with Malicious Intent: Up to 10 years imprisonment
4Willful Neglect (not corrected within 30 days): $71,162 – $2,134,831 per violation 

Most Regulated Entities that OCR accused of violating the HIPAA requirements avoid paying the full amount of authorized civil monetary penalties by accepting OCR settlement offers. As the $600,000 PIH and other settlements demonstrate, however, settlement with OCR allows Regulated Entities to avoid much greater potential civil monetary penalties by paying a much smaller, but still generally significant, settlement amount. As significant as these penalties and settlement costs are, they typically reflect only a small portion of the true cost organizations suffer from a breach. With the average financial consequences suffered by organizations that experience a data breach now approaching $5 million, costs of investigation and recovery from a breach and the associated operational and business disruptions experienced inflict a heavy toll even where OCR allows the health plan or other Regulated Entity to resolve its exposures with no financial settlement or penalty.

Breaches & Other Security Rule Violations Create Substantial Liability For Plans & Their Fiduciaries

While health plan breach notifications generally have lagged far behind provider notifications in number, reported health plan breaches generally have resulted the largest civil monetary penalty or resolution payments largely due to the massive number of individuals affected by these breaches. See e.g., HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations (September 11, 2023); Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and UnitedHealthcare Insurance Company (August 24, 2023);  Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches (October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual (September 23, 2020); Anthem pays OCR $16 Million in record HIPAA settlement following largest health data breach in history (October 15, 2018);  Record $16M Anthem HIPAA Settlement Signals Need To Tighten HIPAA Compliance & Risk Management

PIH Third Hacking Settlement In April

Although OCR’s PIH settlement announcement does not label the settlement as a Risk Analysis Initiative, OCR’s discussion makes clear OCR considered PIH’s failure to fulfill the Risk Analysis requirements a core failure contributing to the breach. The PIH settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020 about a June 2019 phishing attack.  The report stated the attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.

OCR’s investigation found multiple potential violations of the HIPAA Rules, including:

  • Failure to use or disclose protected health information only as permitted or required by the HIPAA Privacy Rule.
  • Failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by PIH.
  • Failure to notify affected individuals, the HHS Secretary, and the media of a breach of unsecured protected health information within 60 days of its discovery.

Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that OCR will monitor for two years and pay a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:

  • Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
  • Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
  • Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
  • Training its workforce members who have access to PHI on its HIPAA policies and procedures.

The findings of deficiencies in PIH’s risk analysis and requirements that PIH conduct an accurate and thorough risk analysis and implement a risk management plan to address and mitigate identified security risks and vulnerabilities are a recurrent theme in OCR breach investigations.   OCR’s recent addition of a Risk Analysis Initiative to its compliance and enforcement priorities heightens the significance of OCR’s inclusion of these findings and requirements in the PIH settlement.

Previous Health Plan Enforcement Actions Confirms Health Plan Face Similar HIPAA Exposures

In January 2021, for instance, OCR announced New York health insurer, Excellus Health Plan, Inc., would pay $5.1 million to settle potential HIPAA violations related to a breach affecting over 9.3 million people.  The settlement resulted from OCR’s investigation of a September 9, 2015, breach report that cyber-attackers gained unauthorized access to its information technology systems.  Excellus Health Plan reported that the breach began on or before December 23, 2013, and ended on May 11, 2015.  The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information. The resolution payment is the second largest collected by OCR to date.

In October, 2020, OCR announced a resolution agreement with Aetna Life Insurance Company and affiliated covered entity (Aetna) where Aetna paid a $1 million resolution payment to settle potential HIPAA violations that arose from Aetna’s filing of hacking related breach reports in 2017 and OCR’s September 2021 announcement of a resolution agreement where Premera Blue Cross (PBC) agreed to pay $6.85 million to OCR (the second largest in OCR history) to settle potential HIPAA violations related to a breach affecting over 10.4 million people. This resolution represents the third largest payment to resolve a HIPAA investigation in OCR history.

In each of these and all subsequent breach enforcement announcements and other guidance, OCR also persistently urges health plans and other regulated entities to perform the required documented risk assessments and take the required actions necessary to guard their ePHI from hackers and other susceptibilities.

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance  

With cyberattacks targeting health care and other Regulated Entities soaring and OCR stepping up its scrutiny of Regulated Entities’ Risk Analysis compliance in audits and enforcement actions, each health care provider and other Regulated Entity should review and tighten its Risk Analysis practices and documentation to reduce its susceptibility to potential breaches and to promote its ability to defend its compliance with the Risk Analysis requirements in the event of a breach investigation or audit.

Fulfill Current Risk Analysis Standards

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities enforce appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to keep Risk Analysis documentation for six years, and to provide Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

  • Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
  • Integrate Risk Analysis and risk management into the organization’s business processes.
  • Ensure that audit controls are in place to record and examine information system activity.
  • Implement regular reviews of information system activity.
  • Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
  • Incorporate lessons learned from incidents into the organization’s overall security management process.
  • Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
Follow Proposed Rules & Enforcement Actions To Mitigate Risks

The proposed rule published by OCR on December 27, 2024, seeks to clarify and expand the original requirements of the Risk Assessment implementation standard based on OCR’s past HIPAA Security and Breach Rule investigation and enforcement experience.  Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
    • A review of the technology asset inventory and network map;
    • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
    • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
    • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
    • A review of the technology asset inventory and network map.

Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:

  • To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
  • To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
  • To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
  • To implement written procedures for testing and revising written security incident response plans;
  • To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
  • To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
  • To encrypt ePHI at rest and in transit, with limited exceptions;
  • To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
  • Use of multi-factor authentication, with limited exceptions;
  • Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
  • Network segmentation;
  • Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
  • To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
  • Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
  • Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool.  OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time.  This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health care providers and other Regulated Entities should view Risk Analysis as an ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.  Although OCR has not officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Additional Responsibilities & Risks For Health Plan Fiduciaries & Sponsors

Along side the OCR warnings, employment and union sponsored health plans, their sponsors, insurers, business associates and fiduciaries also now face additional pressure to take appropriate steps to security health plan data and timely investigate and report breaches.

prudent steps to secure their health plans’ protected health information and electronic data systems against improper use, access, destruction or disclosure under April, 2021 Employee Benefit Security Administration (“EBSA”) guidance package that for the first time officially recognizes cybersecurity as included in the fiduciary responsibilities of employee benefit plan fiduciaries under the Employee Retirement Income Security Act (“ERISA”) and addition of cybersecurity to its plan audits. As a result, in addition to complying with HIPAA, ERISA-covered health plan fiduciaries and sponsors also should be prepared to demonstrate that plan fiduciaries have taken the steps prudently necessary to guard health and other employee benefit plan data and systems against cybersecurity threats. In light of this guidance health plan fiduciaries and sponsors generally will want to ensure that at minimum, they can demonstrate that the health plan and health plan vendor cybersecurity safeguard meet or exceed the recommendations included in the following guidance materials published by EBSA as part of this cybersecurity announcement and any other steps that are prudent to guard against cybersecurity threats:

  • Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
  • Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
  • Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

In light of this OCR and EBSA guidance, health plan sponsors, fiduciaries and vendors and other HIPAA covered entities and business associates are urged to take documented steps to audit and strengthen as needed their safeguards against hacking and other cybersecurity threats including:

  • In the case of any health plan or health plan vendor, taking well documented steps to assess and tighten as necessary their health plan systems and data security to meet or exceed the recommendation outlined in the EBSA cybersecurity guidance or otherwise necessary to prudently guard their plans and plan data and systems against cybersecurity threats.
  • Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
  • Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
  • Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
  • Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
  • Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
    violations or other indicia of potential security concerns.
  • Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
  • Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
  • Establishing and providing well-documented timely investigation and redress of reported
    violations or other compliance concerns.
  • Establishing contingency plans for responding in the event of a breach. 
  • Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
  • Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
  • Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders under state data privacy and breach, negligence or other statutory or common laws.  In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.  Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations and the Employee Benefit Security Administration recently has issued guidance recognizing prudent data security practicces as part of the fiduciary obligations of health plans and their fiduciaries.  

Appropriate Processes Can Prevent Breaches & Enhance Defensibility

With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:

  • Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
  • Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
  • Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
  • Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
  • Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
  • Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
  • Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
  • Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

Although civil monetary penalties or settlements are the most common sanction imposed for HIPAA Security and Breach Notification rule violations, willful and certain other violations of HIPAA can trigger criminal liability subject to the Federal Sentencing Guidelines. Consequently, beyond fulfilling the specific requirements of HIPAA, an adequate Risk Assessment also can be an invaluable tool for helping mitigate Federal Sentencing Guideline exposures of a Regulated Entity and its leaders under the Federal Sentencing Guidelines Organizational Liability rules.

Beyond these specific HIPAA-associated exposures, Regulated Entities and their leaders should keep in mind that HIPAA is likely only one of many laws that define their responsibilities to secure, report, and respond to breaches of ePHI or other sensitive data. Depending on the location, nature and other circumstances, Regulated Entities and their leaders also may have additional responsibilities and liability exposures under a variety of other federal and state laws, ethical or other professional standards, and contractual obligations in addition to those imposed under HIPAA and ERISA. For instance, inadequate data safeguards for ePHI also can trigger liability under the Fair and Accurate Credit Transactions Act, the Federal Trade Commission Act, and various electronic crimes statutes. The Securities and Exchange Commission rules can trigger disclosure and other obligations for publicly traded hospital or other health care providers, insurers, or their business associates. Health care providers, payers and others are likely to face specific additional health care or insurance-specific licensing and ethics rules, as well as other confidential information privacy, cybersecurity and breach reporting obligations and liability under various state statutes and regulations. Regulated Entities and their leaders generally will want to fully evaluate and manage these risks in conjunction with their compliance with the Risk Analysis and other requirements of the HIPAA Security and Breach Notification Rules.

Finally, health plans and other Regulated Entities are reminded that appropriate strategic planning, ongoing diligence in monitoring and responding to security events and susceptibility, and timely and appropriate use of appropriate evidentiary and procedural tools can critically impact the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making. Because HIPAA, EBSA and other rules typically require prompt investigation and response to known or suspected hacking or other cybersecurity threats, health plans and other covered entities or business associates should seek the assistance of experienced legal counsel to advise and assist in these activities to understand the potential availability and proper use of these and other evidentiary rules as part of the compliance planning process as well as to prepare for appropriate use in the event of a known or suspected incident to avoid unintentional compromise of these protections.

The author of this update, Cynthia Marcotte Stamer is nationally known and celebrated for her experience providing advice and representation to health care providers, health insurers, employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, third party administrators, human resources and health plan technology, and other businesses about HIPAA and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information Or Help

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer works with these and other highly regulated or data and performance reliant businesses to design, risk manage, and defend their employment and other workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee.

Additionally, more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

[1] The civil monetary penalty amounts are adjusted annually for inflation.  OCR has not yet published the 2025 inflation adjusted amounts. 

Comments Off on Another Large HIPAA Settlement Warns Health Plans & Other HIPAA Entities To Analyze & Manage Their Hacking & Other Data Susceptibilities | Corporate Compliance, Cybercrime, Cybersecurity, Data breach, Employer, Employers, ERISA, FACTA, Fiduciary Responsibility, Health Plans, HIPAA, HIPAA, Reporting & Disclosure | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Trump Executive Order Calls For PBM ERISA Fee Disclosure Rules and Other Prescription Drug Reforms

April 17, 2025

Creating greater transparency of the compensation of prescription benefit management (“PBM”) arrangements used in group health plans covered by the Employee Retirement Income Security Act of 1974 (“ERISA”) is one of many new policy directives President Trump directs federal agencies to pursue to promote lower cost access to prescription drugs under his Executive Order on Lowering Drug Prices By Once Again Putting Americans First (the “Executive Order”) signed April 15, 2025. Employer and union-sponsored health plans, their sponsors, fiduciaries and service providers should carefully track and provide appropriate input to the Department of Labor and other federal agencies charged with implementing the new ERISA transparency requirement and other policy changes directed in the Executive Order. 

ERISA PMB Transparency Requirements

To improve the transparency of compensation received by PBMs working with ERISA-covered group health plnas, the Executive Order directs the Department of Labor (“DOL”) to propose regulations to make the fee disclosure requirements of ERISA section 408(b)(2)(B) applicable to PBMs by October 12, 2025.

The Executive Order’s directive to the DOL contemplates that DOL will revise its existing regulations under Section 408(b)(2) to prohibit group health plan fiduciaries from allowing PBMs to directly or indirectly receive compensation for their PBM services unless the PBM discloses its compensation from the arrangement in accordace with the fee disclosure requirements that the Executive Order contemplates DOL will add to ERISA section 408(b)(2). 

While DOL regulations have required since 2012 that pension plan service providers to disclose direct or indirect compensation under arrangements with ERISA-covered pension plans in order for the service provider compensation to be allowed “reasonable compensation” under ERISA section 408(b)(2), the fee disclosure requirement currently does not apply to PBMs or other service providers to group health plans or other welfare benefit plan arrangements.

Across the intervening years, concern that the lack of transparency and disclosure allows PBMs to receive excessive compensation and engage in conflicts of interest has led employee benefit industry watchdogs, employer and other plan sponsors, plan members, health care providers and others increasingly to urge the DOL to impose fee disclosure requirements on PBMs and other health and welfare benefit plan service providers. The Executive Order yields to these demands by calling upon the DOL to deem a group health plan’s compensation arrangements with PBMs reasonable only where PBMs disclose direct and indirect compensation, including compensation paid among related parties such as subcontractors, in a manner consistent with current Section 408(b )(2) Regulations.  

Other Prescription Drug Reforms

The Executive Order also includes numerous other reform directives beyond calling for DOL to make PBMs subject to ERISA’s fee disclosure rules.  These included several directives to HHS and certain other agencies that President Trump intends to lower the cost of prescription drugs within and outside the Medicare program.

Medicare & Other Drug Pricing and Coverage Related Prescription Drug Reforms

Many of the policy directives in the Executive Order seek to reform Medicare and other prescription drug cost and coverage.

By April 15, 2026, for instance, the Executive Order directs HHS to develop a better payment model to improve the ability of the Medicare program to obtain better value for high-cost prescription drugs and biological products covered by Medicare, including those not subject to the Medicare Drug Price Negotiation Program.   

In addition, the Executive Order:   

  • Directs HHS to work with the Congress to modify the Medicare Drug Price Negotiation Program to align the treatment of small molecule prescription drugs with that of biological products so as to end the distortion that undermines relative investment in small molecule prescription drugs, coupled with other reforms to prevent any increase in overall costs to Medicare and its beneficiaries;
  • By June 14, 2025,   
    • Requires HHS to propose changes to the Medicare Drug Price Negotiation Program regulations for the initial price applicability year 2028 and manufacturer implementation of maximum fair price under such program in 2026, 2027, and 2028 to improve the transparency of the Medicare Drug Price Negotiation Program, prioritize the selection of prescription drugs with high costs to the Medicare program, and minimize any negative impacts of the maximum fair price on pharmaceutical innovation within the United States; andRequires HHS to require health centers receiving Public Health Service Act Section 330(e) grants to establish practices to make insulin and injectable epinephrine available at or below the discounted price paid by the health center grantee or sub-grantee under the 340B Prescription Drug Program (plus a minimal administration fee) to low income individuals who have a high cost-sharing requirement for either insulin or injectable epinephrine; have a high unmet deductible; or have no healthcare insurance.Requires the Assistant to the President for Domestic Policy (“APDP”) in coordination with the Secretary, the Director of the Office of Management and Budget (“OMB Director”), and the Assistant to the President for Economic Policy (“APECP”), to provide recommendations to the President on how best to stabilize and reduce Medicare Part D premiums;Requires the HHS Secretary to publish a plan to conduct a survey under the Site-of-Service Price Transparency rules of Social Security Act Section 1833(t)(14)(D)(ii) to determine the hospital acquisition cost for covered outpatient drugs at hospital outpatient departments and propose appropriate adjustments to align Medicare payment with the cost of acquisition, consistent with the budget neutrality requirements; and
    • Requires HHS to evaluate and propose regulations to ensure that payment within the Medicare program is not encouraging a shift in drug administration volume away from less costly physician office settings to more expensive hospital outpatient departments.
Other Prescription Drug Reforms

In addition to these predominantly Medicare-focused programs, the Executive Order also orders federal agencies to

  • Requires the Secretary of Labor  to propose regulations pursuant to section 408(b)(2)(B) of the Employee Retirement Income Security Act of 1974 to improve employer health plan fiduciary transparency into the direct and indirect compensation received by pharmacy benefit managers by October 12, 2025;
  • Requires the APDP, in coordination with the HHS Secretary, the OMB Director, and the APECP, to provide recommendations to the President on how best to promote a more competitive, efficient, transparent, and resilient pharmaceutical value chain that delivers lower drug prices for Americans by June 14, 2025;
  • Requires the Food and Drug Administration to streamline and improve the Importation Program under the Federal Food, Drug, and Cosmetic Act to make it easier for States to obtain approval without sacrificing safety or quality;
  • Requires the OMB Director, the APDP, and the Assistant to the President for Economic Policy )”APECP, and HHS Secretary to provide joint recommendations on how best to ensure that manufacturers pay accurate Medicaid drug rebates consistent with section 1927 of the Social Security Act, promote innovation in Medicaid drug payment methodologies, link payments for drugs to the value obtained, and support States in managing drug spending;
  • Requires the HHS Secretary, through the Commissioner of Food and Drugs, to issue a report providing administrative and legislative recommendations to  accelerate approval of generics, biosimilars, combination products, and second-in-class brand name medications; and improve the process through which prescription drugs can be reclassified as over-the-counter medications, including recommendations to optimally identify prescription drugs that can be safely provided to patients over the counter;
  • Requires HHS, the Department of Justice, the Department of Commerce, and the Federal Trade Commission to conduct listening sessions and issue a report with recommendations to reduce anti-competitive behavior from pharmaceutical manufacturers.

Health plans, their sponsoring employers or unions, fiduciaries, PBM and other service providers, brokers, insurers, auditors, and others involved in the design or oversight of PBM and other group health plan arrangements should monitor closely the DOL and other agency responses to the Executive Order to anticipate and prepare for required changes, as well as to be prepared to identify and timely provide input about proposed rules or other actions to DOL or the otherwise applicable regulatory agency before finalized.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, with decades of experience advising employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, PBMs, health and other insurers, third party administrators, managed care organizations, health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally. 

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on Trump Executive Order Calls For PBM ERISA Fee Disclosure Rules and Other Prescription Drug Reforms | Corporate Compliance | Tagged: , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

$200,000 OCR Penalty Shows Health Care Providers & Other HIPAA Entities Risks Of Late Record Access

March 7, 2025

The $200,000 civil monetary penalty [paid by Oregon Health & Science University (“OHSU”) for failing to provide requested medical records shows health care providers, health plans and insurers, and health care clearinghouses (“covered entities”) the perils of violating an individual’s Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) right to timely access. As the 53rd Department of Health and Human Services Office of Civil Rights (“OCR”) announced HIPAA right of action enforcement action, the penalty reaffirms OCR’s continued strong commitment to the enforcement of HIPAA rights of access against covered entities and demonstrates the potential high cost covered entities can face for noncompliance with these requirements.  Like the 52 prior enforcement actions, the OHSU penalty warns health plans and other covered entities to confirm their compliance to avoid incurring similar liabilities.

Thie HIPAA Privacy Rule’s ”Right of Access” provisions require covered entities give requesting individuals or their personal representatives with timely access to requested protected health information.  Generally, this means the covered entity must provide protected health information access within 30 days, with the possibility of one 30-day extension if certain requirements are met.  HIPAA also prohibits covered entities from charging more than a reasonable, cost-based fee for this record access. This requirement is in addition to any otherwise applicable duty to provide timely access to records imposed by otherwise applicable laws such as rules applicable to health plans and health insurers covered by the adverse benefit determination rules of the Patient Protection and Affordable Care Act (“ACA”) or the Employee Retirement Income Security Act of 1974 (“ERISA”) or health insurers or health care providers under applicable state medical privacy and records laws state insurance laws, and health care providers under applicable state medical practice laws The Privacy Rule also contains specific rules for determining the allowable fees, which typically are more restrictive than often concurrently applicable state laws applicable to health care providers or insurers. 

Covered entities also should recognize that covered entities violating the right of access rule face a high likelihood of enforcement by OCR. Patients and other individuals and their personal representatives typically are well informed about their access rights due to HIPAA’s notice of privacy practices and posting requirements. Since right of access violations are one of the most common complaints and OCR frequently finds violations when investigating these complaints,

The $200,000 civil monetary penalty against OHSU along with the undisclosed legal fees and other expenses it incurred in responding to the investigation and enforcement action show the HIPAA liability covered entities can incur for violating the right of assess rule. In September 2024, OCR issued a Notice of Proposed Determination seeking to impose a $200,000 civil monetary penalty. OHSU waived its right to a hearing and did not contest OCR’s imposition of a civil monetary penalty. Accordingly, in December 2024, OCR imposed the $200,000 civil monetary penalty against OHSU in a December 2024 Notice of Final Determination. The OHSU civil monetary penalty arose from OCR’s investigation of a second complaint filed by an individual’s personal representative in January 2021 from the individual’s personal representative.  The complaint was one of two OCR received on this matter. In September 2020, OCR resolved the first complaint received in May 2020 after OCR notified OHSU of its potential noncompliance with the Privacy Rule Right of Access provisions.  Although OHSU provided part of the requested records in April 2019, OHSU did not provide all of the requested records in August 2021.  This was 16 months after the first request for records in April 2019 and nearly a year after OCR previously warned OHSU about its HIPAA obligations in response to the initial complaint. Based on these findings, OCR determined OHSU violated the right of access rule by failing to take timely action in response to the right of access requests.

Along with showing the importance of overall timely compliance with the right of access rule, the OHSU civil monetary penalty also shows covered entities the importance of promptly and completely correcting any violation and their causes that results in a failure by the covered entity (including an employee or business associate responsible for responding to requests) has violated the right of access rule. OCR’s right of access rule investigation and enforcement history against covered entities, including the original complaint against OHSU, demonstrates that OCR seeks settlement with substantially smaller or even no financial payment required if the covered entity promptly and completely fixes the violation in response to OCR’s notice and technical assistance.  

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, nationally known and celebrated for her experience providing advice and representation on HIPAA and other risk management and compliance to employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, health care and other managed care providers and organizations, human resources and health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved

Comments Off on $200,000 OCR Penalty Shows Health Care Providers & Other HIPAA Entities Risks Of Late Record Access | Corporate Compliance | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

$200,000 OCR Penalty Warns Health Plans and Other HIPAA Entities To Timely Provide Records

March 7, 2025

The $200,000 civil monetary penalty [paid by Oregon Health & Science University (“OHSU”) for failing to provide requested medical records shows health plans, health care providers, and health care clearinghouses (“covered entities”) the perils of violating an individual’s Health Insurance Portability & Accountability Act of 1996 (“HIPAA”) right to timely access. As the 53rd Department of Health and Human Services Office of Civil Rights (“OCR”) announced HIPAA right of action enforcement action, the penalty reaffirms OCR’s continued strong commitment to the enforcement of HIPAA rights of access against covered entities and demonstrates the potential high cost covered entities can face for noncompliance with these requirements.  Like the 52 prior enforcement actions, the OHSU penalty warns health plans and other covered entities to confirm their compliance to avoid incurring similar liabilities.

Thie HIPAA Privacy Rule’s ”Right of Access” provisions require covered entities give requesting individuals or their personal representatives with timely access to requested protected health information.  Generally, this means the covered entity must provide protected health information access within 30 days, with the possibility of one 30-day extension if certain requirements are met.  HIPAA also prohibits covered entities from charging more than a reasonable, cost-based fee for this record access. This requirement is in addition to any otherwise applicable duty to provide timely access to records imposed by otherwise applicable laws such as rules applicable to health plans and health insurers covered by the adverse benefit determination rules of the Patient Protection and Affordable Care Act (“ACA”) or the Employee Retirement Income Security Act of 1974 (“ERISA”) or health insurers or health care providers under applicable state medical privacy and records laws state insurance laws, and health care providers under applicable state medical practice laws The Privacy Rule also contains specific rules for determining the allowable fees, which typically are more restrictive than often concurrently applicable state laws applicable to health care providers or insurers. 

Covered entities also should recognize that covered entities violating the right of access rule face a high likelihood of enforcement by OCR. Patients and other individuals and their personal representatives typically are well informed about their access rights due to HIPAA’s notice of privacy practices and posting requirements. Since right of access violations are one of the most common complaints and OCR frequently finds violations when investigating these complaints,

The $200,000 civil monetary penalty against OHSU along with the undisclosed legal fees and other expenses it incurred in responding to the investigation and enforcement action show the HIPAA liability covered entities can incur for violating the right of assess rule. In September 2024, OCR issued a Notice of Proposed Determination seeking to impose a $200,000 civil monetary penalty. OHSU waived its right to a hearing and did not contest OCR’s imposition of a civil monetary penalty. Accordingly, in December 2024, OCR imposed the $200,000 civil monetary penalty against OHSU in a December 2024 Notice of Final Determination. The OHSU civil monetary penalty arose from OCR’s investigation of a second complaint filed by an individual’s personal representative in January 2021 from the individual’s personal representative.  The complaint was one of two OCR received on this matter. In September 2020, OCR resolved the first complaint received in May 2020 after OCR notified OHSU of its potential noncompliance with the Privacy Rule Right of Access provisions.  Although OHSU provided part of the requested records in April 2019, OHSU did not provide all of the requested records in August 2021.  This was 16 months after the first request for records in April 2019 and nearly a year after OCR previously warned OHSU about its HIPAA obligations in response to the initial complaint. Based on these findings, OCR determined OHSU violated the right of access rule by failing to take timely action in response to the right of access requests.

Along with showing the importance of overall timely compliance with the right of access rule, the OHSU civil monetary penalty also shows covered entities the importance of promptly and completely correcting any violation and their causes that results in a failure by the covered entity (including an employee or business associate responsible for responding to requests) has violated the right of access rule. OCR’s right of access rule investigation and enforcement history against covered entities, including the original complaint against OHSU, demonstrates that OCR seeks settlement with substantially smaller or even no financial payment required if the covered entity promptly and completely fixes the violation in response to OCR’s notice and technical assistance.  

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, nationally known and celebrated for her experience providing advice and representation on HIPAA and other risk management and compliance to employers and other health plan sponsors, health plans, health plan fiduciaries and administrators, health and other insurers, third party administrators, health care and other managed care providers and organizations, human resources and health plan technology, and other businesses about health plan design, administration, and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation; Cynthia Marcotte Stamer is an attorney board certified in labor and employment law by the Texas Board of Legal Specialization, management consultant, author, public policy advocate and lecturer sought out by clients and industry and government leaders for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, thought leadership, public policy and regulatory affairs advocacy, coaching, teaching, and publications on health and other employee benefits, health care, insurance, workforce and other risk management and compliance.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. Along with currently serving as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, her previous ABA leadership roles include more than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved

Comments Off on $200,000 OCR Penalty Warns Health Plans and Other HIPAA Entities To Timely Provide Records | Corporate Compliance, health Care, Health Plans, HIPAA, HIPAA, insurers | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

HHS Grants Limited Southern California Fire Limited Disaster Relief

January 10, 2025

Health plans and insurers, health care providers and other Southern California organizations impacted by the California fires may qualify for temporary waivers or modification of certain Department of Health and Human Services (“HHS”) regulatory requirements under the Declarations of a Public Health Emergency (“PHE”) published by HHS today.

The relief provided by the PHE includes:

An extensive list of resources and guidance to help health plans, health care providers and others to understand and cope with HHS requirements in disaster or other emergency situations such as:

Health plans and other regulated entities impacted by the fire or other disasters should carefully review this guidance to understand the scope and availability of the current relief. Additionally, health plans, health care providers, business associates and other HHS-regulated entities and providers not currently impacted by today’s or another public health emergency declaration should use this guidance to plan and adopt policies and arrangements in advance of a disaster to provide for their continued ability to fulfill HHS regulatory obligations in the event of an emergency.

Health plans and other HHS-regulated entities should keep in mind the limited duration and scope of the relief provided by this PHE or any other HHS public health emergency declaration. Entities planning to rely on the PHE relief must review the scope, conditions and duration requirements and ensure their ability to defend their continued compliance taking into account these limited waivers and modifications.

Also the PHE guidance documents are not a final agency action, do not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department’s discretion. Noncompliance with any voluntary standards (e.g., recommended practices) contained in these documents will not, in itself, result in any enforcement action.

Furthermore, health plans and other HHS regulated entities typically face a myriad of responsibilities beyond those imposed by the HHS. Health plans and other regulated entities should check other agencies disaster declaration webpages to determine whether the agency has issued any specific relief impacting their emergency in response to the broader disaster declaration issued by the Administration. Except to the extent covered by other declared disaster relief, coverage by or compliance with the HHS PHE guidance and policies does not insulate the health plan from potential liability for violating the requirements of the Employee Retirement Income Security Act or other laws creating responsibilities to plan members, providers, the Employee Benefit Security Administration or other agencies or parties other than HHS with respect to the HHS regulatory obligations for which the specific relief is provided in the PHE declaration. Accordingly, health plans, their fiduciaries, plan sponsors and service providers are urged to take necessary steps before, during and after any disaster to position themselves to demonstrate fulfillment of duties of prudence and other applicable responsibilities.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health care providers, health plans and insurers, third party administrators, managed care and other health care payers and providers, technology, and other businesses about crisis preparedness and response and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her. 

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health, insurance, employment and employee benefits and other industry management work, public policy leadership and advocacy, coaching, teachings, and publications including leading-edge work on crisis preparedness, response and recovery.

Author of many highly regarded compliance and risk management tools, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.  

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources. 

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on HHS Grants Limited Southern California Fire Limited Disaster Relief | Corporate Compliance, Employer, Employers, health benefit, Health Benefits, health Care, Health Care Fraud, health insurance, health insurance marketplace, Health Plans, HIPAA, HR, Human Resources | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

AHIP Survey Shows Workers Value Employer-Provided Health Coverage

November 26, 2024

Public support and appreciation for employer-sponsored healthcare continues to run high, according to the results of a national online survey of 1,000 people with employer-provided coverage conducted by the research firm LSG on AHIPA from July 10-19, 2024. The survey results reflect employer-provided health coverage remains an important tool for employee recruitment and retention and widespread opposition to public policy changes that would replace employer-provided coverage with government-provided benefits or tax employer-provided coverage or benefits.

AHIP commissioned the survey to understand the perceptions, priorities, and expectations of consumers with employer-provided coverage about their current coverage and benefits, employers, and public policy impacting their coverage and compare their attitudes against results of a survey conducted in April 2023. LSG reports the survey has a margin of error of +/- 3% and was balanced to national demographics for gender, age, and region. AHIP announced the results of the survey on November 13, 2024.

According to AHIP, 50% of Americans received their health coverage from employer-provided plans. The survey responses revealed:

  • A growing majority of consumers (75%,+12% since April 2023) are satisfied with their current employer-provided coverage.
  • 66% (+12%) are satisfied with the current health insurance system overall
  • Comprehensive coverage, affordability, and choice of providers their plans provide are key factors in creating this satisfaction
  • 71% (+12%) feel the quality of their current health plan is high
  • 74% (+6%) prefer to get their coverage through their employer over a federal or state government program
  • Costs remain a top consumer concern and a leading source of plan dissatisfaction, 66% (+13%) of respondents reported that what they currently pay for their coverage overall is reasonable and helps to lower their health care costs
  • While unhappy with coverage costs, 63% of respondents identified the comprehensiveness of coverage as a greater priority than affordability (31%).
  • Benefits most valued by respondents were emergency care (65%), prescription drugs (63%), and preventive care (57%).
  • 88% of respondents reported their health plan covers preventive
  • services (88%), provides access to top providers (78%), and gives them financial peace of mind if something bad were to happen (75%).
  • 53% of respondents reported feeling employer-provided coverage is effectively meeting children’s mental health needs and 61% reported believing the need for mental health care for children will increase.
  • 67% of respondents reported considering it important for health insurance plans to cover telehealth services
  • 76% of respondents reported believing it’s important for the federal government to maintain the COVID-19 telehealth flexibilities for patients

The survey also reflects the continued value of employer-provided health coverage in attracting and retaining employees. Sixty-one percent of respondents said health coverage plays an impactful role in employee recruitment and 80% reported health coverage was a reason for staying in their current position. Once informed that the average company pays 70-80% of the cost of coverage, a majority of respondents (71%) reported having a more favorable impression of companies that provide their employees with health insurance benefits.

The satisfaction and support from the study reflect likely opposition by workers to changes proposed by some politicians to change the current tax treatment of employer-provided coverage to tax employee health benefits. The survey found a growing majority oppose taxing employee health benefits (58%, +6%), and an even greater majority would be less likely to vote for a lawmaker who supports taxing them (63%).

Review the complete report of survey results here

If you have questions about health plan design, administration or defense, contact the author of this update, Cynthia Marcotte Stamer.

More Information

We hope this update is helpful. For more information about the these or other legal, management or regulatory concerns, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Management attorney and operations consultant Cynthia Marcotte Stamer uses a client objective oriented approach to help businesses, governments, associations and their leaders manage people, performance, risk, legislative and regulatory affairs, data, and other essential elements of their operations.

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of workforce and other management work, public policy leadership and advocacy, coaching, teachings, scholarship and thought leadership. As a part of this experience, Miss Stamer has experience assisting clients with auditing, compliance, investigation and defense SCA, Davis-Bacon, Fair Labor Standards Act and other pay, benefits, compensation and fringe benefit concerns. 

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer’s work throughout her 35 year career has focused heavily on working with government contractors, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends businesses on Guideline Program and other compliance, risk management and other internal and external controls in a wide range of areas and has published and spoken extensively on these concerns.

Ms. Stamer also is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on workforce, compensation, and other operations, risk management, compliance and regulatory and public affairs concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving, and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on AHIP Survey Shows Workers Value Employer-Provided Health Coverage | Corporate Compliance | Tagged: , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Teva Pharmaceuticals’ $450M Settlement Penalty Shows Risks Of Participating In Pharma Anti-Kickback and Price Fixing Schemes

October 11, 2024

Subscribe to continue reading

Subscribe to get access to the rest of this post and other subscriber-only content.

Comments Off on Teva Pharmaceuticals’ $450M Settlement Penalty Shows Risks Of Participating In Pharma Anti-Kickback and Price Fixing Schemes | Corporate Compliance | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

PBM Lawsuit Against FTC Signals Growing Battle To Rein In PBMs

September 17, 2024

Employers, health plan sponsors and fiduciaries, health care providers and individuals concerned about prescription drug prices and access should carefully follow the rapidly accelerating battle between the Federal Trade Commission (“FTC”) and pharmacy benefit managers (“PBMs”), which threatens to reshape how pharmaceutical products are priced and sold to health plans and consumers.

At the center of the complex pharmaceutical distribution chain that delivers prescription medicines from manufacturers to patients, PBMs generally are vertically integrated organizations that simultaneously serve and regulate health plans and pharmacists and play other roles in the drug supply chain.

This vertical integration allows these six PBMs to wield enormous power and influence over health plans’ and patients’ access to drugs and the prices they pay, as well as pharmacies’ access to prescription drugs and the price and other terms under which pharmacies qualify for health plan coverage or payment for these medications.

PBMs also exert substantial influence over independent pharmacies by imposing contractual terms imposed by PBMs as a condition of accessing medications, covering the pharmacies under health plans contracted with the PBMs, or both.

Mergers and consolidations within the PBM, pharmacy and health benefit industries that brought ownership of the largest PBMs under common ownership with large insurers and retail pharmacies they purport to both manage and work has increased the already significant power of PBMs to use their integration to control these and other aspects of prescription drug availability, access, distribution, and pricing/ Consequently, the sixth largest PMBs -Caremark Rx, LLC; Express Scripts, Inc.; OptumRx, Inc.; Humana Pharmacy Solutions, Inc.; Prime Therapeutics LLC; and MedImpact Healthcare Systems, Inc. – now collectively negotiate and enforce access, coverage, pricing and other key terms and conditions governing the availability, access to, and cost of prescription drugs for hundreds of millions of Americans.

With the consolidation of ownership of large PBMs, payers and pharmacies further tightening these PBMs’ control over prescription drug distribution, pricing, and coverage and prescription drug costs continuing to rise, PBMs and their practices increasingly face scrutiny, challenges and calls for reform by employers and other plan sponsors, health care providers, independent pharmacies, the FTC and other regulators, Congress, state legislatures and regulators, consumers, and others. See Report on Pharmacy Benefit Managers: The Powerful Middlemen Inflating Drug Costs and Squeezing Main Street Pharmacies.

FTC July 2024 Interim Report On 6th Largest PBMS

In response to these and other growing concerns about consolidation, lack of transparency and other potential abuses about the PBM industry and prescription drug costs, the FTC began investigating the PBM industry in 2022.  In July 2024, the FTC released its Report on Pharmacy Benefit Managers: The Powerful Middlemen Inflating Drug Costs and Squeezing Main Street Pharmacies (the “FTC Report”) that reports the FTC’s interim findings from its ongoing study of the six largest PBMs – Caremark Rx, LLC; Express Scripts, Inc.; OptumRx, Inc.; Humana Pharmacy Solutions, Inc.; Prime Therapeutics LLC; and MedImpact Healthcare Systems, Inc. use their vertical integration and concentration to inflate drug costs, squeeze Main Street pharmacies and engage in other practices harmful to patients and independent pharmacies.

The FTC Report shares interim findings based on the FTC staff’s review of more than 1,200 public comments to identify predominant areas of concern, initial submissions of internal documents and data from PBM respondents and their affiliates, interviews of various industry experts and participants and review of other public data and information.  The FTC Report also discloses that certain PBMS have yet to produce the data and documents required in response to FTC orders issued more than two years ago. While stating its study continues and promising that the FTC will continue efforts to force the PBMs to produce the evidence demanded in the orders, the FTC Report also promises to share regular updates about its progress and findings.

While the investigation continues, the FTC Report shares the FTC’s interim findings that:

  • The market for pharmacy benefit management services has become highly concentrated, and the largest PBMs are now also vertically integrated with the nation’s largest health insurers and specialty and retail pharmacies;
  • As a result of this high degree of consolidation and vertical integration, the leading PBMs can now exercise significant power over Americans’ access to drugs and the prices they pay;
  • Vertically integrated PBMs may have the ability and incentive to prefer their own affiliated businesses, which in turn can disadvantage unaffiliated pharmacies and increase prescription drug costs;
  • Evidence suggests that increased concentration may give the leading PBMs the leverage to enter into complex and opaque contractual relationships that may disadvantage smaller, unaffiliated pharmacies and the patients they serve;
  • PBMs and brand drug manufacturers sometimes negotiate prescription drug rebates that are expressly conditioned on limiting access to potentially lower cost generic alternatives in exchange for higher rebates from the manufactures in a manner that may cut off patient access to lower-cost medicines and warrant further scrutiny by the Commission, policymakers, and industry stakeholders.

The FTC Report also shares the FTC’s concern that the six largest PBMs improperly use their integration and market control over 95 percent of all prescriptions filled in the United States:

  • To profit at the expense of patients and independent pharmacists;
  • To hike the cost of and overcharge for drugs
  • To squeeze independent pharmacies that many Americans—especially those in rural communities—depend on for essential care;
  • To wield enormous power over patients’ ability to access and afford their prescription drugs, allowing PBMs to significantly influence what drugs are available and at what price; and
  • To impose unfair, arbitrary, and harmful contractual terms that can impact independent pharmacies’ ability to stay in business and serve their communities.

The FTC Report concludes that PBMs’ have an “outsized influence” that comes not only from the expansion of their traditional, middlemen administrative services in processing patients’ pharmacy prescription claims but also from decades of consolidation and vertical integration across the healthcare delivery system where “the largest PBMs have come under common ownership with the largest, most dominant health insurers … [that] operate some of the largest retail, mail order, and specialty pharmacies in the country, which compete with local independent pharmacies. Given these relationships, PBMs and their affiliated entities may have the incentive and ability to engage in steering a growing share of prescription revenues to their own pharmacies through specialty drug classification, self-preferential pricing, and pharmacy contracting procedures to target and control the business operations of pharmacies. While the FTC Report principally focuses on the impact of these changing market dynamics on the operation and vitality of the nation’s pharmacies, the FTC Report also states that initial evidence about PBM and brand pharmaceutical rebating practices “urgently warrant further scrutiny and potential regulation.”

The FTC Report concludes that these interim findings underscore the importance and urgency of scrutinizing the role and influence of PBMs in the nation’s healthcare system, particularly as federal and state governments are the largest purchasers of healthcare.

Express Scripts Sues FTC Demanding Retraction Of FTC Report

Not surprisingly, the PBMs subject to the FTC Report generally have protested the reported findings. On September 17, 2024, CIGNA-owned Express Scripts sued the FTC, demanding the FTC retraction of the FTC Report. In the Express Scripts, Inc. v. FTC complaint, Express Scripts characterizes the FTC Report as “unfair, biased, erroneous, and defamatory.” In the Complaint, Express Scripts alleges:

“According to the Commission’s press release announcing the Report, the Report stems from special orders issued under Section 6(b) of the FTC Act to six PBMs, including Express Scripts, demanding data and information about the PBM industry. But the Report is not an analysis of the data and information produced by the PBMs. Instead, it is seventy-four pages of unsupported innuendo leveled against Express Scripts and other PBMs under a false and defamatory headline and accompanied by a false and defamatory press release. The Commission disregarded the millions of documents and terabytes of data produced and relied instead on unverified comments from the very companies that PBMs negotiate against in order to help lower drug costs. Not surprisingly, those entities are incentivized to point the finger at PBMs for allegedly driving drug costs up, when it is PBMs who are, in fact, bringing drug costs down.”

Charging that the FTC Report “followed prejudice and politics, not evidence or sound economics, and wrongly concluded that PBMs inflate drug costs and harm independent pharmacies” and harmed Express Scripts’ business and reputation by the FTC’s “unlawful, unconstitutional, and arbitrary and capricious conduct and defamatory statements,” the Complaint alleges that the FTC Report “gets nearly everything wrong” as a result of FTC Chair Khan’s and the FTC’s bias against PBMs and failure to consider the evidence before them. For example, the Complaint asserts:

“It falsely accuses Express Scripts and other PBMs of “controlling” access to drugs and drug pricing when it is manufacturers who set drug prices and plan sponsors who decide which drugs to cover for their members.

It attacks Express Scripts for disadvantaging independent pharmacies when the evidence produced shows that on average independent pharmacies not affiliated with PBMs receive higher reimbursements than unaffiliated chain pharmacies, independent pharmacies are profitable, and the number of prescriptions filled at independent pharmacies is increasing.

It falsely claims that Express Scripts is “profiting by inflating drug costs,” including by taking rebates from drug manufacturers in return for putting high cost drugs on formularies when, in truth, the bulk of rebates and fees received by PBMs get passed through to plan sponsors and lower the net cost of drugs to plan sponsors and members. Moreover, Express Scripts prefers drugs with the lowest net cost to its plan sponsors on its largest standard formularies.

It makes the broad-brush claim that the PBMs failed to comply with the Commission’s 2022 6(b) orders, which demanded extensive data and information for production—without identifying who the supposed offenders are—even while Express Scripts had long ago complied with the Commission’s requests, which

the Commission knew and verbally acknowledged before and after issuing its Report. It falsely states that PBMs, including Express Scripts, “profit at the expense of patients by inflating drug costs” when the evidence shows that PBMs compete for the business of plan sponsors by offering lower costs for covered drugs than their competitors. PBMs have low and declining operating margins and any PBM that sought to inflate the cost of covered drugs would quickly lose its clients.

Due to these alleged false conclusions, the Complaint charges that the FTC Report violates federal and state law several times over, including in at least the following ways:

  • By exhibiting bias against PBMs and prejudgment of the facts, the Report violates Express Scripts’ right to due process under the Fifth Amendment to the U.S. Constitution.
  • It contains (i) assertions that will predictably be and have been interpreted as conclusions adverse to all PBMs and (ii) false statements unsupported by the record that demonstrate the Commission’s failure to consider the available contrary evidence and render its decision arbitrary and capricious.
  • It is not in the public interest and therefore exceeds the Commission’s statutory authority under Section 6(f) of the FTC Act.
  • It is unlawful because Commissioners exercise executive authority while enjoying statutory removal protections in violation of Article II of the U.S. Constitution.
  • And the Commission’s claim both in the Report and the accompanying press release that PBMs, including Express Scripts, are “inflating drug costs” and “profit by inflating drug costs at the expense of patients,” is false and defamatory.

Claiming that Express Scripts has suffered and continues to financial, business and reputational harm by the FTC Report’s allegedly false statements about its business practices and the insinuation that Express Scripts’ successful efforts to fight for lower prices for plan including being sued in multiple lawsuits invoking the FTC Report as evidentiary support for plaintiffs’ claims and faces multiple demands for information from state regulators and federal legislative committees. Contending these harms “have only just begun and will only be compounded over time,” Express Scripts asks the District Court:

  • To vacate and require the FTC to set aside the FTC Report;
  • Make the FTC correct the false statements it has made about PBMs; and
  • Require the recusal of FTC Chair Khan from further FTC proceedings regarding Express Scripts in light of her evident bias against PBMs, including Express Scripts.

Regardless of how the Express Scripts lawsuit plays out, employers and other health plan sponsors, fiduciaries, third party administrators, insurers, pharmacies, health care providers and individual Americans can expect to see continued challenges and attempts to reform PBMs to address perceived abuses. The direction and specifics of those challenges and changes remain unclear. Since political pressure is likely to significantly influence the ultimate outcome of any reforms, concerned individuals and organizations should carefully monitor and provide input.

Meanwhile, employer and other health plan sponsors and fiduciaries should also anticipate that the FTC Report and similar Congressional and other studies and investigations may increasingly fuel and provide evidence to support participants’ and beneficiaries’ questions and challenges to PBM features and practices within their health plans.

More Information

We hope this update is helpful. For more information about the  or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for her more than 35 years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications including leading edge work on PBM, pharmacy and pharmaceutical and other health care, managed care, insurance, and insured and self-insured contracting, design, administration and regulation.

Author of numerous highly regarded works on PBM and other health plan contracting and design,  Immediate Past Chair of the ABA International Section Life Sciences Committee and the Tort Trial and Insurance Practice Section Medicine and Law Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and past Group Chair and current Welfare Benefit Committee Co-Chair of the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. 

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services, data and technology and many other other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; third party administrators and other health benefit service providers; hospitals, health care systems and other health care providers, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EMR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

She also has extensive experience helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EMR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

Author of publications on “Transparent PBM Contracting,” “ACOs, Direct Contracting: Legal & Practical Challenges For Employers, Providers & TPAs,” “The Medicare Advantage Contracting Manual,” “Third Party Administrator (TPA) Contracting Principles and Strategies and a multitude of other highly regarded publications and presentations,  Stamer is widely recognized for her thought leadership on PBM and other managed care and health plan contracting and design, and a multitude of other health care, health plan and other health industry matters.  In addition, Ms. Stamer contributes her time and leadership to numerous policy, professional, civil and other organizations including service as the, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any  fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on PBM Lawsuit Against FTC Signals Growing Battle To Rein In PBMs | Corporate Compliance | Tagged: , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

$160K HIPAA Penalty Warns Health Plans & Other Covered Entities Deliver Timely Protected Health Information Access

January 8, 2024

Health plans, health care providers and health care clearinghouses (“Covered Entities”) treat the Department of Health and Human Service Office of Civil Right (“OCR”) announcement of its 46th enforcement action under the Health Insurance Portability & Accountability Act (“HIPAA”) Right of Access Rule as a warning to confirm their own organization’s timely delivery of records and other compliance with the Rule.  Coupled with OCR’s Right of Access Rule settlement agreement with United Health Insurance Group last August, the latest settlement agreement sends a strong message to health plans and other Covered Entities about the risks of failing to deliver protected health information as required by the Right of Access Rule. 

HIPAA Right of Access Rule

The HIPAA Right of Access Rule guarantees individuals the right to access a broad array of health information about themselves maintained by or for health plans and other Covered Entities. Under the Right of Access Rule, Covered Entities generally must provide individuals or their personal representatives copies or other acceptable access to the individual’s protected health information in a Covered Entity’s “designated record set” for a reasonable cost as soon as possible and within 30 days of receiving a request for a reasonable cost. However, the Right of Access Rule does not grant any right for an individual to access protected health information that is not part of a designated record set because the information is not used to make decisions about individuals.

The request for protected health information triggering the duty for a Covered Entity to provide access to the protected health information may come from the individual who is the subject of the protected health information or from the “personal representative” of that individual.  When considering a request for protected health information from an individual other than the subject of the protected health information, health plans and other Covered Entities also must use care to verify that the requesting party, in fact, qualifies as the individual’s “personal representative” as defined for purposes of HIPAA. 

Once a health plan or other Covered Entity receives a request protected health information from the individual or his personal representative, the Right of Access Rule requires the Covered Entity to provide access to all requested protected health information within any “designated record set” within 30 days unless the requested information falls within one of two exceptions to the Rule. 

For this purpose, a “designated record set” generally is defined at 45 CFR 164.501 as any item, collection, or grouping of information that includes protected health information that is maintained, collected, used, or disseminated by or for a Covered Entity that comprises the:

  • Medical records and billing records about individuals maintained by or for a covered health care provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

However, the Right of Access Rule only requires the delivery of protected health information that is part of a designated record set.  It does not require health plans or other Covered Entities to provide protected health information that the Covered Entity does not use to make decisions about the individual, since this information is not considered part of a designated record set.  Examples of such records of protected health information might include protected health information in certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records the Covered Entity uses for business decisions more generally rather than to make decisions about the subject individual. Before refusing to provide information not part of a designated record set, however, the health plan or other Covered Entity does not also use or possess that information for making decisions about the subject individual or that disclosure is not otherwise required under another law. For example, even if the Right of Access Rule does not require disclosure of protected health information because it is not considered part of a designated record set, a health plan still be required to disclose the record if required by the adverse benefit determination rules of the Patient Protection and Affordable Care Act (“ACA”), claims and appeals rules of the Employee Retirement Income Security Act or other applicable law, regulation or another law.    

Even where the information falls within the definition of a designated record set, however, HIPAA expressly excludes two categories of information from the Right of Access right:

  • Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session maintained separately from the rest of the patient’s medical record as described in 45 CFR 164.524(a)(1)(i) and 164.501.
  • Information complied in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding described under 45 CFR 164.524(a)(1)(ii).

However, it is critical that Covered Entities not overestimate the reach of either of these two exceptions. The exception only applies to the narrow range of records meeting the requirements of the exception.  The underlying protected health information from the individual’s medical or payment records or other records used to generate the above types of excluded records or information remains part of the designated record set and is subject to access by the individual under the Right of Access Rule.  Providers and other Covered Entities should use care to comply with the Right of Access Rule without providing more information than allowed as HIPAA liability can arise from failing to timely deliver access to all protected health information required by the Right of Access Rule or from sharing protected health information with an individual who is not either the individual or personal representative when the disclosure otherwise is not allowed by HIPAA To help negotiate these requirements, Covered Entities should become familiar with and process all requests for protected health information following the latest Right of Access Rule guidance. When in doubt, Covered Entities should seek the advice of experienced legal counsel within the scope of attorney-client privilege about proper fulfillment of their obligations under the Right of Access Rule in coordination with any other applicable responsibilities the Covered Entities has to provide access, disclose, or prevent disclosure of the requested information under otherwise applicable federal or states laws and regulations, ethical or other professional standards, contractual or other medical, insurance, financial, employee benefit or other rules relating to the requested records.

Optum Settlement 46th Right Of Access Enforcement Settlement

The Optum settlement resulted from OCR’s investigation of six complaints in the Fall of 2021 that Optum violated the Right of Access Rule by failing to provide timely access to medical records when requested by an adult patient or by the parents of minor patients.

In February 2022, OCR initiated investigations of these Right of Access complaints. The investigation revealed that patients received their requested records between 84 and 231 days after submitting their respective requests. Since the Right of Access Rule requires that Covered Entities deliver the records no later than 30 days from receiving the individual’s requests, those timeframes fell well outside of the deadline for delivery required by the HIPAA Right of Access Rule.  Accordingly, OCR concluded that Optum’s failure to provide timely access to the requested medical records was a potential violation of HIPAA.

Under the Resolution Agreement reached with Optum, Optum agreed to pay $160,000 to OCR as well as implement a corrective action plan that requires workforce training, reporting records requests to OCR, and reviewing and revising as necessary its right of access policies and procedures to provide timely responses to requests. Under the plan, OCR will monitor Optum Medical Care for one year.

Right Of Access Remains OCR Investigation & Enforcement Priority

The Optum enforcement action and settlement is the latest reminder to all Covered Entities that investigation and enforcement remains a top OCR priority. See e.g. OCR Sanction Of 44th Health Care Provider For Violating HIPAA Right of Access Rules Warning To Other Covered Entities. Because access to medical records empowers patients and their families to make decisions about their health care and improve their health overall, OCR views access to medical records “a fundamental right under HIPAA. For this reason, OCR believes it “critical that providers follow the law.”  Accordingly, OCR Director Melanie Fontes Rainer has warned that health care providers “must proactively respond to record requests and ensure timely access” and “make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority.” See e.g., HHS’ Office for Civil Rights Settles Multiple HIPAA Complaints with Optum Medical Care Over Patient Access to Records (January 4, 2024).

While health care providers are the most common target of OCR’s Right Of Access complaints and enforcement, OCR’s August, 2023 Right of Access settlement against United Health Insurance Group (“UHIG”) confirms health plans also are targets. That settlement arose from OCR’s investigation of a March 2021 complaint alleging that UHIC did not respond to an individual’s request for a copy of their medical record. The investigation showed the individual first requested a copy of their records on January 7, 2021, but did not receive the records until July 2021, after OCR initiated its investigation.  Movrover, the March, 2021 complaint was the third complaint OCR received from the complainant against UHIC alleging failures to respond to his right of access. These findings led OCR to conclude UHIC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.  In OCR’s announcement of UHIG’s agreement to pay $80,000 to resolve these potential charges, OCR Director, Melanie Fontes Rainer warned, “Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.”  See, UnitedHealthcare Pays $80,000 Settlement to HHS to Resolve HIPAA Matter over Patient Medical Records Request.

Manage Right of Access Rule Exposure

Despite OCR’s warnings about the responsibility to comply with the Right of Access Rule, many health plans and other Covered Entities continue to violate the Rule. OCR has and continues to receive thousands of Right of Access Rule complaints each year.  In response to these persistent compliance issues, OCR continues to make enforcement of the Right of Access Rule a key enforcement priority through its Right Of Access Initiative.

In light of OCR’s commitment to continue to investigate and enforce compliance with the Right of Access Rule, health care providers and other Covered Entities and their business associates are urged to review their existing practices for receiving and processing patient record requests to confirm their own organizations’ compliance with the Right of Access Rule and other applicable federal and state statutory regulatory and contractual requirements. To reduce risks of violations, all health care providers and other Covered Entities should seek assistance from experienced legal counsel within the scope of attorney-client privilege to audit their past and current Right of Access Rule compliance for any necessary or advisable steps to prevent future violations and mitigate potential liabilities arising from potential past or future violations of the Right of Access Rule.  Aside from confirming documented timely responses to past requests for protected health information, among other things, most Covered Entities will want to consider:

  • Verifying that their current policies, privacy practices notices, training and other materials are updated to comply with all applicable policies and properly identify and provide current contact information for the Privacy Officer or other party responsible for receiving and responding to protected health information requests;
  • Appropriate procedures are in place to ensure that the Covered Entity can produce required documentation showing the individuals are appropriately notified of the Right of Access and other HIPAA rules, and that the Covered Entity captures the necessary documentation to show its receipt of all requests, and timely investigation and response to such requests;
  • Appropriate and documented processes for collecting, investigating, or resolving any potential concerns, complaints, or other issues, their evaluation, and resolution;
  • Appropriate workforce, business associates, and other policies, training, oversight, and enforcement to require and enforce compliance with applicable laws and policies; and
  • Appropriate processes, procedures, and training to ensure that staff fully understands and complies with both the specific processes and procedures of the Covered Entity for complying with the Right of Access Rule, as well as related procedures necessary to manage risks and responsibilities arising under verification of identity, personal representative, disclosure, recordkeeping or other HIPAA’ rules; medical, insurance, financial, or other data or privacy; licensure and market conduct; civil rights and nondiscrimination; fiduciary; licensure; marketing or other rules.

When confirming compliance with the Right of Access Rule, health plans and other Covered Entities also should reevaluate their organization’s exposure to other HIPAA associated risks. See, e.g., Health Plans Warned To Prevent Phishing By 1st Phishing-Related HIPAA Settlement; New HIPAA Resolution Agreement Warns Health Plans & Other HIPAA-Covered Entities To Manage Media Relations, Access & Disclosure; $80,000 Penalty Confirms Health Plans Exposure For Violating HIPAA Access Rights; $350K Settlement Highlights Need For Plans & Plan Service Providers To Ensure Security, Business Associate & Other HIPAA Requirements Met. Health plans take documented, prudent steps to reconfirm the adequacy of their own, and their business associates’ policies, processes, training, documentation and other compliance with these and other medical and other plan records and data maintenance, security, use, access and disclosure.

Aside from the direct exposures for these and other HIPAA violations arising under HIPAA, health plans, their fiduciaries, insurers, plan sponsors and administrators should keep in mind that the Employee Benefit Security Administration views potential data breaches and other HIPAA violations as a potential source of fiduciary liability under the Employee Retirement Income Security Act. 

While involving outside consultants or other service providers generally is valuable if not required to conduct some of these tasks, Covered Entities are encouraged to use experienced outside legal counsel to help plan, conduct, evaluate and decide, and implement responses to findings from these compliance and risk management activities both to benefit from legal counsel’s substantive legal expertise and experience and to take advantage of the opportunity to conduct sensitive discussions within the protection of attorney-client privilege or other evidentiary rules.  Experienced outside legal counsel can guide Covered Entities about the best way to work with consulting and other vendors to maximize these benefits. Where legal advice is provided to health plan fiduciaries, health plans, their fiduciaries, insurers, sponsors, and service providers also should keep in mind that advice and work product performed on behalf of a health plan or plan fiduciary may not enjoy the same protection against discovery under attorney-client privilege and work product rules.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on $160K HIPAA Penalty Warns Health Plans & Other Covered Entities Deliver Timely Protected Health Information Access | Association Health Plan, Civil Monetary Penalties, Claims Administration, Corporate Compliance, Cybercrime, Data Breach, Data Security, Electronic Medical Record, employee, Employee Benefits, ERISA, Fiduciary Responsibility, group health plan, health plan, Health Plans, HIPAA, Protected Health Information, Reporting & Disclosure, self insured health plan | Tagged: , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans Warned To Prevent Phishing By 1st Phishing-Related HIPAA Settlement

December 8, 2023

Health plans and other entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) should tighten their phishing deterrence and other safeguards in response to the announcement of the Department of Health and Human Services Office of Civil Rights (“OCR”) of its settlement of its first official phishing-related HIPAA charges with a Louisiana medical group subject to HIPAA as a health care provider.

The resolution agreement with LaFourche Medical Group (“LaFourche”) announced December 7, 2023, resolves the first HIPAA charges OCR has classified officially as arising from a phishing attack warns health plans, health care providers, health care clearinghouses (“Covered Entities”) and their business associates (collectively, “HIPAA Entities”) to ensure the adequacy of their risk analysis, safeguards, training and other processes for guarding electronic protected health information (“ePHI”) against phishing or other impermissible access.

HIPAA Entities Duty To Guard EPHI Against Phishing

The HIPAA Privacy Rule and Security Rule require health care providers, heath plans, health care clearinghouses (“Covered Entities”) and their businesses associates (collectively “HIPAA Entities”) to protect EPHI and other protected health information against use, access, disclosure or destruction by third parties except under the conditions allowed by HIPAA.  These requirements include the requirements of the Security Rule to conduct and document comprehensive security assessments of risks to sensitive data systems, to implement and enforce detailed security safeguards to protect EPHI and the systems containing that data against these threats, to train and enforce compliance with these safeguards, and other requirements.  Meanwhile, the HIPAA Breach Notification Rule requires Covered Entities to report most breaches of unsecured EPHI to individuals whose data is affected, OCR, and in the case of breaches of EPHI affecting more than 500 individuals, to the media. 

Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source. See OCR Quarter 1 2022 Cybersecurity Newsletter; OCR February 2018 Phishing Cybersecurity Newsletter.

OCR guidance confirms OCR views defending ePHI against phishing as a key part of compliance with these HIPAA requirements.  See, e.g. OCR Quarter 1 2022 Cybersecurity Newsletter; Defending Against Common Cyber-Attacks; AI-Augmented Phishing and the Threat to the Health Sector; HHS 405d Health Industry Cybersecurity Practices on Email Phishing Attacks; Videos on “How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks” in English and Spanish. OCR February 2018 Phishing Cybersecurity Newsletter.  

OCR data confirms the number of breaches of unsecured ePHI reported to the OCR affecting 500 or more individuals (“large breaches”) due to hacking or IT incidents increased 45% from 2019 to 2020,  and hacking or IT incidents accounted for 66% of all large breaches reported to OCR in 2020. U.S. Department of Health and Human Services Breach Portal.  In keeping with this trend, large breaches affected more than 55 million individuals in 2022 and more than 89 million individuals in 2023.  OCR reports phishing played a key role in many of these breaches and contributed to many other breaches currently under OCR investigation.  See U.S. Department of Health and Human Services Breach Portal; OCR Quarter 1 2022 Cybersecurity NewsletterIt bears noting that the most costly and largest HIPAA breaches overall and virtually all OCR resolution agreements with health plans have involved large scale breaches resulting from phishing or other hacking.

The widespread availability and use of artificial intelligence technology has only made phishing attempts more effective, especially since those tools are freely available to the public. AI-Augmented Phishing and the Threat to the Health Sector

The 2021 HIMSS Healthcare Cybersecurity Survey reveals phishing is the most common attack impacting healthcare organizations, comprising almost half of all attacks. Data shows hackers frequently use phishing against the health sector because it often leads to data breaches that allow attackers to access large quantities of lucrative stolen health data. AI-Augmented Phishing and the Threat to the Health Sector.

LaFourche Breach & Findings

The OCR investigation of LaFourche arose from a May 28, 2021 data breach report LaFourche filed reporting a March 30, 2021 breach. According to the breach report, LAFOURCHE  learned on March 30, 2021, that an unauthorized individual obtained access to one of its owners’ email accounts through a phishing attack. LAFOURCHE  determined that the email account contained patients’ EPHI. According to the report, on March 30, 2021, LAFOURCHE  learned that an unauthorized individual obtained access to one of its owners’ email accounts through a phishing attack. LAFOURCHE  determined that the email account contained patients’ protected health information (PHI). As LAFOURCHE  was unable to identify the specific patients affected, LAFOURCHE  notified all of its patients – approximately 34,862 individuals of the incident. As LAFOURCHE  was unable to identify the specific patients affected, LAFOURCHE  notified all of its patients – approximately 34,862 individuals – of the incident.

OCR’s investigation opened in January, 2022 in response to the breach report revealed found that before LAFOURCHE  made the breach report LAFOURCHE  never conducted a Security Rule risk analysis and had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks. 

To resolve OCR HIPAA charges arising from the breach, LaFourche agreed to pay $480,000 to OCR and to implement and follow a corrective action plan that includes the following requirements:

  • Establishing and implementing security measures to reduce security risks and vulnerabilities to electronic protect health information in order to keep patients’ protected health information secure;
  • Developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA Rules; and
  • Providing training to all staff members with access to patients’ protected health information on HIPAA policies and procedures.

OCR will monitor for two years. LaFourche’s adherence with the compliance plan for two years.

While the $480,000 that LaFourche is a significant amount for a medical practice to pay, agreeing and adhering to the requirements of the settlement agreement and its incorporated corrective action plan allows LaFourche to avoids becoming subject to significantly greater civil monetary penalties authorized by HIPAA for breaches of its Privacy, Security and Breach Notification Rules.  Under the terms of the resolution agreement, however, HHS can still pursue civil monetary penalties against LaFourche for the violations if OCR finds LaFourche failed to comply with any of the requirements of its corrective action plan or otherwise violates HIPAA.

LaFourche Resolution Agreement Warning To All HIPAA Entities To Tighten Phishing Defenses

The LaFourche resolution agreement serves as a warning to other HIPAA entities.  OCR’s announcement of the settlement quotes OCR Director Melanie Fontes Rainer as stating, “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”

Based on the LaFourche resolution agreement and other guidance, HIPAA entities should heed this warning by ensuring their organization is prepared to demonstrate to OCR in the event of an OCR audit or breach investigation by among other things, establishing appropriate governance with C-level oversight of compliance efforts; conducting documented periodic systemic risk assessments addressing phishing and other threats;  actions taken to implement appropriate safeguards and monitor their effectiveness; appropriate workforce training and enforcement of policies and procedures; timely investigation and response to known or suspected breaches; timely breach reporting and mitigation; and other compliance with the Security Rule.

With regard to phishing, the Office of Information Security Whitepaper on AI-Augmented Phishing and the Threat to the Health Sector provides specific tips for successful prevention of phishing attacks including but not limited to:

  • Ensuring proper email server configuration or integrating a spam gateway or other appropriate additional platform into the information infrastructure, such as a spam gateway filter, to help filter unwanted e-mails;
  • Multi-factor authentication (MFA) requirements to protect against stolen credentials, which can be the initial purpose of a phishing attack;
  • Up-to-date malware and other security software to detect malware as it is being executed onto the system;
  • Conducting periodic end-user awareness training on detection of phishing e-mails and interacting with all e-mail with healthy skepticism including specific training on comment formats and tricks including those generated using AI tools;
  • Systematically using appropriately updated and robust processes for monitoring and detecting suspicious activities/indicators on an ongoing basis.

HIPAA entities also should keep in mind that phishing is only one of a multitude of compliance and enforcement risks highlighted by OCR’s recent enforcement and guidance. Along with reviewing and updating their phishing defenses, HIPAA entities also should review and update other processes as needed to manage these exposures.

Additionally, HIPAA entities and their leaders also should take steps to understand and fully address all other statutory, ethical, contractual or other privacy or confidentiality requirements beyond those imposed by HIPAA. For example, health care providers, health plans and their fiduciaries, brokers, administrators and insurers also may bear responsibilities under the Employee Retirement Income Security Act fiduciary responsibility rules, the Fair and Accurate Credit Transactions Act, federal and state electronic crimes and privacy laws. Publicly traded organizations and their leaders may face responsibilities and liability under new Securities and Exchange Commission regulations. The Employee Benefit Security Administration considers managing cybersecurity risks a part of the fiduciary obligations of fiduciaries of employment-based health plans. Meanwhile, health care providers, insurance organizations and brokers, third party administrators, government contractors, attorneys and other advisors and others also may be subject to medical confidentiality and other data privacy and security obligations under federal and state electronic crimes, identity theft, ethics, professional licensure, contractual, common law privacy and other statutory and common laws.

While it commonly is necessary or advisable to involve consulting or other technical support in the conduct of these activities, HIPAA entities should keep in mind the likelihood that their analysis and review is likely to uncover and prompt discussion of potentially legally or politically sensitive information. For this reason, HIPAA entities and their leaders generally will want to engage experienced legal counsel for assistance in structuring and executing these activities to maximize their ability to claim attorney-client privilege or other evidentiary protections against discovery or disclosure of certain aspects of these activities.

Finally, HIPAA entities should keep in mind that HIPAA and other cybersecurity compliance and risk management is an ongoing process requiring constant awareness and diligence.  Consequently, HIPAA entities should both monitor OCR and other regulatory and enforcement developments as well as exercise ongoing vigilance to monitor and maintain compliance within their organizations.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2023 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on Health Plans Warned To Prevent Phishing By 1st Phishing-Related HIPAA Settlement | Corporate Compliance | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer