Ebola Scare & New OCR Privacy Guidance Reminder To Prepare For Pandemic & Other Emergencies

November 11, 2014

The recent US Ebola scare provided an important reminder to health care providers, health insurers and health plans, health care clearinghouses, employers and others of the importance of understanding and preparing to deal with health care privacy and other challenges arising from epidemics and other emergencies.  In response to the recent Ebola and other contagious disease outbreaks and just as U.S. health care and other business leaders are working to prepare for the biggest contagious disease time of the year, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is reminding health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates that the privacy rules of the Health Insurance Portability & Accountability Act (HIPAA) requiring Covered Entities and their business associates to limit the use, access and disclosure of patient’s protected health information (PHI) continue to apply during emergency situations and help them understand when HIPAA allows them to share PHI in emergency situations in a new notice titled “HIPAA Privacy in Emergency Situations” (Guidance) published November 10, 2014. A business associate of a covered entity (including a business associate that is a subcontractor) also must continue to comply with HIPAA and may only make disclosures permitted by the Privacy Rule on behalf of a Covered Entity or another business associate to the extent authorized by its business associate agreement and consistent with HIPAA’s requirements.  With annual flu season approaching and the Ebola and other pandemic issues still circling, it’s time for all organizations to prepare to respond to these and other emergencies including the special privacy and other concerns they often raise.

Sharing Patient Information

The Guidance begins by reminding Covered Entities and their business associates that HIPAA’s Privacy Rule continues to apply in emergency situations and requires Covered Entities protect and prohibits their use, access or disclosure of patient’s protected health information except as allowed by HIPAA unless the patient authorizes the Covered Entity to disclose the PHI in accordance with HIPAA’s requirements for authorization set forth in 45 CFR 164.508.

The Guidance then goes on to discuss the following circumstances that the HIPAA Privacy Rule might allow Covered Entities to share PHI without getting patient authorization, subject to the reminder that in many cases, HIPAA will require that the Covered Entity limit the disclosure to the minimum necessary disclosure necessary for the allowable purpose and require other conditions to be fulfilled:

  • Treatment.

Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501.

  • Public Health Activities.

The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization:

  • To Or At The Direction Of A Public Health Authority.

The HIPAA Privacy Rule allows Covered Entities to share protected health information with Public Health Authorities authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability like the Centers for Disease Control and Prevention (CDC) or a state or local health department. This would include, for example, the reporting of disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. See 45 CFR §§ 164.501 and 164.512(b)(1)(i). For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola virus disease.

The HIPAA Privacy Rule also allows Covered Entities to share information at the direction of a public health authority:

    • To a foreign government agency that is acting in collaboration with the public health authority. See 45 CFR 164.512(b)(1)(i); and
    • To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations. See 45 CFR 164.512(b)(1)(iv)
  • Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification.

The HIPAA Privacy Rule allows a Covered Entity to share protected health information:

    • With a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care;
    • About a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death including where necessary to notify family members and others, the police, the press, or the public at large. See 45 CFR 164.510(b).

The Guidance reminds Covered Entities, however, that the Privacy Rule requires the Covered Entity to get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible. If the individual is incapacitated or not available, the Guidance states Covered Entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.

The Guidance also confirms that Covered Entities may share protected health information with disaster relief organizations authorized by law or by their charters to assist in disaster relief efforts like the American Red Cross for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

  • Imminent Danger

The Guidance also states that Covered Entities that are health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j).

  • Disclosures to the Media & Others Not Involved in the Care of the Patient/Notification

The Guidance also reminds Covered Entities of the importance of closely adhering to HIPAA’s rules when responding to information requests from the medial or others not involved in the care of a patient. The Guidance states that when the media or other other party not involved un the patient’s care asks the Covered Entity for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. See 45 CFR 164.510(a). In general, except in the limited circumstances authorized in the HIPAA Privacy Rule, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient).

  • Minimum Necessary Restriction Requirement

The Guidance cautions Covered Entities and their business associates that for most disclosures, a Covered Entity generally must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. However, this minimum necessary requirement does not apply to disclosures to health care providers for treatment purposes.

Covered Entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary when making disclosures in response to request from those parties. For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum necessary for the public health purpose.

  • Required Internal Restrictions On Use, Access & Disclosure

Internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties. See 45 CFR §§ 164.502(b), 164.514(d).

Safeguarding Patient Information

Beyond limiting the use, access and disclosure of PHI, the Guidance also reminds Covered Entities and their business associates that even in emergency situations, HIPAA continues to require them to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures as well as to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic PHI.

Limited Waiver

Although HHS has yet to take steps to trigger a limited waiver, the Guidance also reminds Covered Entities and their business associates that HHS has the power to do so, the effect of a limited waiver and the circumstances under which HHS could elect to apply  a limited waiver to waive sanctions against a hospital for certain specific types of HIPAA violations while the waiver is in effect.

As the Guidance notes, the HIPAA Privacy Rule is not suspended during a public health or other emergency.  Rather, the limited waiver rules only operates to permit the Secretary of HHS to waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. The limited waiver only applies when the President declares an emergency or disaster and HHS declares a public health emergency. When and if these requirements are met, HHS may waive sanctions and penalties against a Covered Entity that is a hospital for failing to comply with the following HIPAA Privacy Rule provisions:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

If the Secretary issues such a waiver, Covered Entities and their business associates should keep in mind the waiver only applies to the list violations and only applies:

  • For so long as the waiver remains in effect;
  • In the emergency area and for the emergency period identified in the public health emergency declaration
  • To hospitals that have instituted a disaster protocol; and
  • For up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Not Necessarily Just About HIPAA

HIPAA is not necessarily the only law that Covered Entities, business associates or others need to consider when deciding what to disclose during an emergency or otherwise.  The HIPAA Privacy Rule applies to disclosures made by and Covered Entities, business associates employees, volunteers, and other members of a Covered Entity’s or Business Associate’s workforce. The Privacy Rule does not apply to disclosures made by entities or other persons who are not Covered Entities.

Beyond HIPAA, Covered Entities, their business associates or members of their workforce, employers, and other organizations also need to consider whether other federal or state laws, ethical rules, contracts or policies may restrict use or disclosure, safeguard, or take other steps to protect PHI or other information.  For instance, other federal laws, state law, professional ethical rules, contracts, facility policies or procedures, or other restrictions often apply to health care provides, insurers, brokers, employers or others.  Employers, health care organizations, insurers and others also need to be concerned about potential discrimination, common law and statutory privacy, retaliation, defamation and other exposures.

Prepare For Compliance Now

The recent experiences of various health care organizations intimately involved in caring for the Ebola patients highlights the importance of anticipating, preparing and conducting training, and having your workforce practice to prepare  to deal with the special challenges of dealing with HIPAA and other legal responsibilities in advance of emergency events.  When preparing for these events, Covered Entities and business associates need to take into account the need to comply operationally as well as to document and retain records of compliance.   They should  both should anticipate and prepare to respond to both typical inquiries as well as those from the media, public and others.   They also should consider how various types of emergencies could create new privacy or security risks.  For instance, in certain emergency situations, recordkeeping or other systems could be disrupted, impacting the ability retain and subsequently produce required documentation.  Furthermore, Covered Entities also should prepare to manage the patient and public relations aspects of these events including adverse impressions that often arise when the media or others are disappointed at being denied information because of compliance obligations, from breaches or perceived breaches, or other similar events.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry, insurance, technology and other clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to OCR Privacy and Civil Rights, DOL, IRS, SEC, insurance department and other investigation and enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.  The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights,  Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns.  Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.  In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans,  as well as  HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for  Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

For the past four years, Ms. Stamer has served as the  scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR.   Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here.

©2014 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press, Inc.   All rights reserved.

Comments Off on Ebola Scare & New OCR Privacy Guidance Reminder To Prepare For Pandemic & Other Emergencies | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

IRS Guidance Raises Concerns For Many Employers Offering “Skinny” & Other Limited Coverage Health Plans

November 4, 2014

Learn More Details By Participating In November 13, 2014 WebEx Briefing

Employers of 100 or more full-time employees that plan currently offering or planning to offer after November 4, 2014 health plans with mandate only or other “skinny” plan designs which do not provide “substantial coverage” for both in-patient hospitalization and physician services should re-evaluate the implications of their proposed plan design as well as existing and planned employee enrollment or other communications about those plans, in light of the new guidance provided by Notice 2014-69 released by the Internal Revenue Service (IRS) today.  Learn all the details about this new guidance and its implication by participating in our November 13 , 2014 briefing.

Plans Must Provide “Substantial Coverage” for Both In-Patient Hospitalization & Physician Services To Provide Minimum Value

Notice 2014-69 makes it official that the Department of Treasury (including the IRS) and Department of Health and Human Services (collectively the Departments)  believe that group health plans that fail to provide substantial coverage for in-patient hospitalization services or for physician services (or for both) (referred to in the Notice as Non-Hospital/Non-Physician Services Plans) do not provide the “minimum value” necessary to fulfill the minimum value requirements of Code §36B and 4080H(b).

The Notice also notifies sponsoring employers about the Departments expectations about notifications and other communications to employees about Non-Hospital/Non-Physician Services Plans) as well as shares details about the Departments plans for implementing their interpretation in planned final regulations by March, 2015.

Standards On Employer Communications About Non-Hospital/Non-Physician Services Plans

The Notice cautions employers about the need to use care in communicating with employees about Non-Hospital/Non-Physician Services Plan.  Among other things, the Notice states that an employer that offers a Non-Hospital/Non-Physician Services Plan (including a Pre-November 4, 2014 Non-Hospital/Non-Physician Services Plan) to an employee must:

  • Not state or imply in any disclosure that the offer of coverage under the Non-Hospital/Non-Physician Services Plan precludes an employee from obtaining a premium tax credit, if otherwise eligible, and
  • Timely correct any prior disclosures that stated or implied that the offer of the Non-Hospital/Non-Physician Services Plan would preclude an otherwise tax-credit-eligible employee from obtaining a premium tax credit.
  • Without such a corrective disclosure, the Notice warns that a statement (for example, in a summary of benefits and coverage) that a Non-Hospital/Non-Physician Services Plan provides minimum value will be considered to imply that the offer of such a plan precludes employees from obtaining a premium tax credit. However, an employer that also offers an employee another plan that is not a Non-Hospital/Non/-Physician Services Plan and that is affordable and provides minimum value (MV) is permitted to advise the employee that the offer of this other plan will or may preclude the employee from obtaining a premium tax credit.

Anticipated Approach In Planned Regulations

Regarding the Departments plans to adopt regulations implementing the interpretation of Code § 36B announced in the Notice, the Notice indicates:

  • HHS intends to promptly propose amending 45 CFR 156.145 to provide that a health plan will not provide minimum value if it excludes substantial coverage for in-patient hospitalization services or physician services (or both).
  • Treasury and the IRS intend to issue proposed regulations that apply these proposed HHS regulations under Code section 36B. Accordingly, under the HHS and Treasury regulations, an employer will not be permitted to use the MV Calculator (or any actuarial certification or valuation) to demonstrate that a Non-Hospital/Non-Physician Services Plan provides minimum value.
  • Treasury and IRS anticipate that the proposed changes to regulations will be finalized in 2015 and will apply to plans other than Pre-November 4, 2014 Non-Hospital/Non-Physician Services Plans on the date they become final rather than being delayed to the end of 2015 or the end of the 2015 plan year. As a result, a Non-Hospital/Non-Physician Services Plan (other than a Pre-November 4, 2014 Non-Hospital/Non-Physician Services Plan) should not be adopted for the 2015 plan year.
  • Solely in the case of an employer that has entered into a binding written commitment to adopt, or has begun enrolling employees in, a Non-Hospital/Non-Physician Services Plan prior to November 4, 2014 based on the employer’s reliance on the results of use of the MV Calculator (a Pre-November 4, 2014 Non-Hospital/Non-Physician Services Plan), however, Notice 2014-69 states the Departments anticipate that final regulations, when issued, will not be applicable for purposes of Code section 4980H with respect to the plan before the end of the plan year (as in effect under the terms of the plan on November 3, 2014) if that plan year begins no later than March 1, 2015.
  • Employers offering Non-Hospital/Non-Physician Services Plans should “exercise caution in relying on the Minimum Value Calculator to demonstrate that these plans provide minimum value for any portion of a taxable year after publication of the planned final regulations.
  • The IRS will not require an employee to treat a Non-Hospital/Non-Physician Services Plan as providing minimum value for purposes of an employee’s eligibility for a premium tax credit under Code section 36B, regardless of whether the plan is a Pre-November 4, 2014 Non-Hospital/Non-Physician Services Plan before final regulations take effect.

Employers & Plans Most Likely To Be Affected

The interpretation of minimum value and planned future regulatory changes announced in Notice 2014-69 primarily will impact large employers subject to the “pay or play” shared responsibility rules of Code § 4980H that offer a health plan providing coverage that meets the “minimum essential coverage” standards of Code § 4980H.

Under Code § 4980H(a),  large employers that fail to offer employee and dependent coverage under a health plan providing “minimum essential coverage” to each full-time employee generally become liable to pay an employer shared responsibility payment of  $165 per month ($2000 per year) (commonly referred to as the “A Penalty”)  for each full-time employee.

In contrast, the penalties (commonly referred to as the “B Penalty”) created under Code § 4980H(b) generally comes into play when a covered large employer offers health plan coverage under a health plan providing minimum essential coverage but the plan either:

  • Does not provide minimum value; or
  • The cost to the employee for coverage exceeds 9.5% of the employee’s family adjusted gross income or an otherwise applicable safe harbor amount allowed under IRS regulations.Register For Briefing To Learn More
  • To learn more about Notice 2014-69 and its implications on employer health plan obligations and Code § 4980H shared responsibility exposures, register to participate in a special Solutions Law WebEx Briefing on the new guidance conducted by Attorney Cynthia Marcotte Stamer on Thursday, November 13, 2014 from Noon to 1:00 p.m. Central Time here.
  • Assuming at least one full-time employee of a covered large employer receives a subsidy for enrolling in health coverage through a health care exchange or “Marketplace” established under ACA, the B Penalty generally is equal to $250 per month ($3000 per year) multiplied by the number of such subsidized employees of the employer.

Learn More By Joining November 13, 2014 Solutions Law Press, Inc. Virtual Briefing Register Now!

To learn more about Notice 2014-69 and its implications on employer health plan obligations and Code § 4980H shared responsibility exposures, register to participate in a special Solutions Law WebEx Briefing on the new guidance conducted by Attorney Cynthia Marcotte Stamer on Thursday, November 13, 2014 from Noon to 1:00 p.m. Central Time here.

During the briefing, Ms. Stamer will:

  • Explain what health benefits, if any, employers must offer employees under current ACA guidance
  • Brief participants on this new guidance and other related guidance
  • Discuss potential implications for employers and their health plans
  • Discuss potential options for employers dealing with these plans and
  • Take questions from virtual audience participants as time permits.

Registration Fee is $35.00 per person   Registration required for each virtual participant. Payment required via website registration in advance of the program.. Payment only accepted via website PayPal. No checks or cash accepted. Participation is limited and available on a first come, first serve basis. Persons not registered at least 24 hours in advance not guaranteed to receive access information or materials prior to commencement of the briefing.

This briefing will be conducted via WebEx over the internet. Participants may have the opportunity to participate via telephone, provided that participants electing to participate may incur added charges for telephone connectivity. Solutions Law Press, Inc. is not responsible for any power or system failures. Solutions Law Press, Inc. also expects to offer the opportunity for individuals unable to participate in the live briefing to listen to a recording of the briefing beginning approximately one week after the program via the Internet by registering, paying the required registration fee and following listening instructions received in response to such registration.

Interested persons can register here now!

About The Speaker

A Fellow in the American College of Employee Benefits Counsel, recognized in International Who’s Who, and Board Certified in Labor & Employment Law, attorney and health benefit consultant Cynthia Marcotte Stamer has  25 years experience advising and representing private and public employers, employer and union plan sponsors, employee benefit plans, associations, their fiduciaries, administrators, and vendors, group health, Medicare and Medicaid Advantage, and other insurers, governmental leaders and others on health and other employee benefit. employment, insurance and related matters. A well-known and prolific author and popular speaker Board Certified in Labor & Employment Law, Ms. Stamer presently serves as Co-Chair of the ABA RPTE Section Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Representative, an Editorial Advisory Board Member of the Institute of Human Resources (IHR/HR.com), Insurance Thought Leadership,com and Employee Benefit News, and various other publications.  With extensive domestic and international regulatory and public policy experience, Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on health and other employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, as well as state legislatures, attorneys general, insurance and labor departments, and other agencies and regulators. A prolific author and popular speaker, Ms. Stamer regularly authors materials and conducts workshops and professional, management and other training and serves on the faculty and planning committees of a multitude of symposium and other educational programs.  See http://www.CynthiaStamer.com  for more details.

 

A Fellow in the American College of Employee Benefits Counsel, recognized in International Who’s Who, and Board Certified in Labor & Employment Law, attorney and health benefit consultant Cynthia Marcotte Stamer has 25 plus years’ experience advising and representing private and public employers, employer and union plan sponsors, employee benefit plans, associations, their fiduciaries, administrators, and vendors, group health, Medicare and Medicaid Advantage, and other insurers, governmental leaders and others on health and other employee benefit. employment, insurance and related matters. A well-known and prolific author and popular speaker Board Certified in Labor & Employment Law, Ms. Stamer presently serves as Co-Chair of the ABA RPTE Section Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Representative, an Editorial Advisory Board Member of the Institute of Human Resources (IHR/HR.com), Insurance Thought Leadership,com and Employee Benefit News, and various other publications. With extensive domestic and international regulatory and public policy experience, Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on health and other employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, as well as state legislatures, attorneys general, insurance and labor departments, and other agencies and regulators. A prolific author and popular speaker, Ms. Stamer regularly authors materials and conducts workshops and professional, management and other training and serves on the faculty and planning committees of a multitude of symposium and other educational programs. See http://www.CynthiaStamer.com. for more details.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives.  Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs.

For Added Information and Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For additional information about upcoming programs, to inquire about becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com   These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship,  to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com.  If you would prefer not to receive communications from Solutions Law Press, Inc. send an e-mail with “Solutions Law Press Unsubscribe” in the Subject to support@solutionslawyer.net.  CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know when you register so that we may consider your request.   ©2014 Solutions Law Press, Inc.  All rights reserved.

 

Comments Off on IRS Guidance Raises Concerns For Many Employers Offering “Skinny” & Other Limited Coverage Health Plans | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Disability, EEOC, EEOC, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, GINA, Health Plans, HIPAA, Human Resources, MEWA, Tax, Wellness Programs | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Review & Update HR & Benefit Practices For DOL Proposed Change In FMLA Regs, Other Rules Treating Some Same-Sex Couples As Spouses

July 8, 2014

August 11, 2014 is the deadline for employers and other interested individuals to comment on the  U.S. Department of Labor’s Wage and Hour Division (DOL) June 27, 2014 Notice of Proposed Rulemaking (NPRM), which would amend the definition of spouse under the current Family and Medical Leave Act of 1993 (FMLA) regulations in light of the United States Supreme Court’s decision in United States v. Windsor, which ruled unconstitutional section 3 of the Defense of Marriage Act (DOMA).  The proposed change is one of a series of regulatory changes that the Obama Administration has proposed or adopted since the Windsor decision.

DOL intends that the NPRM will replace the current definition of “spouse” its current FMLA regulations so that eligible employees in legal same-sex marriages will be able to take FMLA leave to care for their spouse or family member, regardless of where they live.

To accomplish this, the NPRM proposes to revise the current definition of spouse in the current FMLA regulations to define spouse as follows: Spouse, as defined in the statute, means a husband or wife. For purposes of this definition, husband or wife refers to the other person with whom an individual entered into marriage as defined or recognized under State law for purposes of marriage in the State in which the marriage was entered into or, in the case of a marriage entered into outside of any State, if the marriage is valid in the place where entered into and could have been entered into in at least one State. This definition includes an individual in a same-sex or common law marriage that either (1) was entered into in a State that recognizes such marriages or, (2) if entered into outside of any State, is valid in the place where entered into and could have been entered into in at least one State.

Among other things, this change will:

  • Replace the current “state of residence” rule with a rule that determines spousal status based on where the marriage was entered into (sometimes referred to as “place of celebration”) rule for determining marital status;
  • Revise the definition of spouse expressly to reference same-sex marriages in addition to common law marriages, and to encompass same-sex marriages entered into abroad that could have been entered into in at least one State.

The expanded definition of spouse will broaden the range of couples that employers and plans may be required to treat as spouses for purposes of the FMLA.  This expansion also may result in the extension of rights with respect to parents or children of a same-sex partner for certain employment or employee benefit purposes.  While the historical determination of parental relationships under the FMLA regulations based on a functional, rather than legalistic, test means that the proposed change will likely have less significance in this regard, employers and plans still should evaluate the potential implications of the expanded definition of spouse on its responsibilities with respect to the employees, their same-sex partners and the parents and children of the same-sex partners.

Also, many employers and employee benefit plans may be concerned about proposed language in the NPRM and other regulations requiring employers to decide if a marriage not valid in the United States could have been valid if performed within the United States.  Likewise, as the number of states where same-sex partners can qualify as spouses continues to evolve as courts and legislatures act to require recognition of these relationships, many employers and plans may feel legitimate concerns about the operational demands of administering their human resources and employee benefit plans and policies with respect to individuals involved in same-sex relationships where the legal status of the relationship may evolve due to changes of law, creating responsibilities for the employer or plan with respect to relationships that it may not know exist or the status of which may change subsequent to a determination of marital status or other relevant decision.  Employers and employee benefit plans should consider adopting practices to address these challenges to minimize the risk of incurring liability as a result of an oversight resulting from evolving status.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising employers, health plan and other employee benefit, insurance, financial services, health and other business clients about these and other matters.   As a part of this involvement, Ms. Stamer has extensive experience advising employers, employee benefit plans, insurers, health care providers and others about the implications of DOMA and other rules impacting the identification of spouses and other family status protections under the FMLA and other Federal and state employment, tax, health care and other laws.  She publishes and speaks extensively on these and other staffing and human resources, compensation and benefits, technology, health care, privacy, public policy, and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on Review & Update HR & Benefit Practices For DOL Proposed Change In FMLA Regs, Other Rules Treating Some Same-Sex Couples As Spouses | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints

July 7, 2014

Employer and other health plan sponsors, administrators, insurers and their business associates should heed both the lesson about properly protecting health plan documents with protected health information and the more subtle lesson about the role of employees and other whistleblowers in bringing these violations to the attention of regulators contained in the latest Health Insurance Portability & Accountability Act (HIPAA) resolution agreement as well as act to manage their potential employment related liability to workforce members reporting these violations

HIPAA’s Privacy, Security and Breach Notification Rules generally prohibit  health plans, health care providers, health plans (Covered Entities) and their business associates from creating, using, accessing or disclosing protected health information except as allowed by HIPAA.  In addition, HIPAA requires covered entities both to meet detailed criteria for protecting electronic protected health information and also to take reasonable steps to protect all protected health information, as well as meet other business associate, breach notification, and individual rights requirements.

Parkview Resolution Agreement

Late last month, the Department of Health & Human Services Office of Civil Rights (HHS) announced that complaints of a retiring physician over the mishandling of her patient records by Parkview Health System, Inc. (Parkview) prompted the investigation that lead Parkview to agree to pay $800,000 to settle charges that it violated HIPAA’s Privacy Rule.

The resolution agreement settles charges lodged by HHS based on an OCR investigation into the retiring physician’s allegations that Parkview violated the HIPAA Privacy Rule by failing to properly safeguard the records when it returned them to the physician following her retirement.

As a covered entity under the HIPAA Privacy Rule, HIPAA requires that Parkview appropriately and reasonably safeguard all protected health information in its possession, from  acquisition to disposition.

In an investigation prompted by the physician’s complaint, OCR found that Parkview breached this responsibility in its handling of certain physician patient records in helping the physician to transition to retirement.

According to OCR, in September 2008, Parkview took custody of medical records of approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.

Subsequently on June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. OCR concluded this conduct violated the Privacy Rule.

To settle OCR’s charges that these actions violated HIPAA, OCR has agreed to pay the $800,000 resolution amount and to adopt and implement a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR.

HIPAA Violations Carry Significant Liability

As demonstrated by the Parkview resolution agreement, violation of HIPAA  can carry significant civil and potentially even criminal liability.  The criminal provisions of HIPAA as well as the express terms of the Privacy Rules require that covered entities and their business associates adopt and administer specific compliance programs and practices to provide to compliance with HIPAA and HIPAA’s breach notification rules and the Privacy Regulations may require self-reporting of violations when and if violations occur.  Since HIPAA includes potential criminal liability, violations of its provisions can trigger organizational liability for covered entities and their business associates.  Consequently, HIPAA compliance also generally should be part of the Federal Sentencing Guideline Compliance Program of every covered entity and business associate.

The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates.  In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.  Furthermore, enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

A series of supplemental guidance issued by the Department of Health & Human Services Office of Civil Rights (OCR) in recent weeks is giving health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates even more to do in reviewing and updating their policies, practices and training for handing protected health information (PHI) beyond bringing their policies and practices into line with OCR’s restatement and update to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act since the Omnibus Final Rule took effect on March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Meanwhile, the Omnibus Final Rule generally has required business associates have updated business associate agreements in place and otherwise to have come into compliance with all of the applicable requirements of the Omnibus Final Rule since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

Watch & Manage Whistleblower Liability From HIPAA Violations & Compliance

Beyond illustrating the potential HIPAA-associated penalties that can result from failing to comply with HIPAA, the Parkview resolution agreement also illustrates the risks that current or former workforce members and others acting as whistleblowers play in helping OCR to identify HIPAA violations.  HIPAA and most other laws prohibited covered entities from forbidding or retaliating against a person for objecting to or reporting the concern and offer whistleblowers potential participation in the reporting and prosecution of violations.  Beyond these specific federal HIPAA protections, state courts often recognize firing or otherwise retaliating against workforce members or others for exercising rights protected by HIPAA or other federal anti-retaliation statutes as a basis for a state whistleblower or other retaliatory discharge claim.  See, e.g. Faulkner v. Department of State Health Servs., 2009 U.S. Dist. LEXIS 22419 (N.D. Tex. Mar. 19, 2009).  See also Court Recognizes Retaliation For Filing HIPAA Privacy Complaint As Basis For Texas Whistleblower Claim.    With retaliation and other whistleblower complaints becoming increasingly common and judgments from these claims rising, covered entities and their business associates need to include appropriate employment liability risk management processes and procedures in their HIPAA compliance processes and coordinate carefully with their human resources team and qualified employment counsel to manage the employment liability related risks associated with investigations and discipline activities under HIPAA.  Concurrently, Privacy Officers also should ensure that their organization’s human resources team understands the HIPAA rules and spot and properly refers to the privacy officer for investigation statements or other activities that may indicate that a HIPAA compliance or retaliation concern needs investigation or redress to avoid missing potential exposures hidden in the human resources processes that could reflect a practice of tolerance or retaliation unacceptable to OCR.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

HHS Claims Average $69/Month Cost for Subsidized Coverage Shows ACA Success Challenged

June 18, 2014

The Department of Health & Human Services (HHS) is touting a new report available here released today that it says people who qualified for tax credits to buy health insurance coverage through the health insurance exchange who selected silver plans, the most popular plan type in the federal Marketplace, paid an average premium of $69 per month. In the federal Marketplace, 69 percent of enrollees who selected Marketplace plans with tax credits had premiums of $100 a month or less, and 46 percent of $50 a month or less after tax credits.   The balance of the cost of the coverage is covered via subsidies.  Other sources, however, say the data in the report raises concerns about the overall cost of the health care reform law and its impact on the total cost of coverage.

HHS says the report also looks at competition and choice nationwide among health insurance plans in 2013-2014.  HHS claims that the report shows most individuals shopping in the Marketplace had a wide range of health plans from which to choose. On average, consumers could choose from five health insurers and 47 Marketplace plans. An increase of one issuer in a rating area is associated with 4 percent decline in the second-lowest cost silver plan premium, on average.

While the HHS report by focusing on what subsidized individuals pay out of pocket spins the data to give the impression that the health care reform law is bringing down health care costs as promised, other sources say the data in the Report raises serious concerns about the overall cost of the health care reform law and the total cost of coverage.  While acknowledging that “the generous subsidies” helped consumers receiving subsidies, the Los Angeles Times reports these subsidies coupled with the massive enrollment by individuals qualifying for subsidies raise budgetary concerns.  According to the Los Angeles Times article, the reports shows the federal government is on track to spend at least $11 billion on subsidies for consumers who bought health plans on marketplaces run by the federal government, even accounting for the fact that many consumers signed up for coverage in late March and will only receive subsidies for part of the year.  However, this total does not count the additional cost of providing coverage to the 1/3 of the 8 million new people who signed up for coverage who bought coverage in states that ran their own marketplaces, including California, Connecticut, Maryland and New York.   While Federal officials said subsidy data for these consumers were not available, the Los Angeles Times estimated that if these state consumers received roughly comparable government assistance for their insurance premiums, the total cost of subsidies could top $16.5 billion this year, resulting in budgetary costs “far higher”  than the $10 million budgetary cost that the Congressional Budget Office projected subsidies would cost U.S. taxpayers in 2014. See  Obamacare subsidies push cost of health law above projections.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on HHS Claims Average $69/Month Cost for Subsidized Coverage Shows ACA Success Challenged | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Compliance & Breach Data Shares Helpful Lessons For Health Plans, Providers and Business Associates

June 11, 2014

Health care providers, health plans and insurers, health care clearinghouses (collectively “Covered Entities”), their business associates, and others concerned about medical privacy regulations or protections should check out two new reports to Congress about breach notifications reported and other compliance data under the Health Insurance Portability & Accountability Act (HIPAA) by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).   Reviewing this data can help Covered Entities and their business associates identify potential areas of exposures and enforcement that can be helpful to minimize their HIPAA liability as well as to expect OCR enforcement and audit inquiries.  Smart covered entities and business associates will include review of these and other reports about compliance and enforcement by OCR and assessment of their processes against this information as a part of their HIPAA compliance and risk management practices.

Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the two new reports discuss various details about HIPAA compliance for calendar years 2011 and 2012.  They include the following:

  • Report to Congress on Breach Notifications, discussing the breach notification requirements and reports OCR received as a result of these breach notification requirements; and
  • Report to Congress on Compliance with the HIPAA Privacy and Security Rules, summarizing complaints received by OCR of alleged violations of the provisions of Subtitle D of the HITECH Act, as well as of the HIPAA Privacy and Security Rules at 45 CFR Parts 160 and 164 .
  • Covered entities and their business associates should review the finding reported as part of their compliance practices. Others concerned about medical or other privacy or data security regulations or events also may find the information in the reports of interest.

Under HIPAA, covered entities generally are prohibited from using, accessing or disclosing protected health information about individuals except as specifically allowed by HIPAA,  In addition, HIPAA also requires Covered Entities to establish safeguards to protect protected health information against improper access, use or destruction, to afford certain rights to individuals who are the subjects of protected information, to obtain certain written assurances from service providers who are business associates before allowing those service providers to use, access or disclose protected health information when carrying out covered functions for the Covered Entity, and meet other requirements.

The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates.  In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.

Enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the HITECH Act since March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on HIPAA Compliance & Breach Data Shares Helpful Lessons For Health Plans, Providers and Business Associates | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

HHS Extends Proposed EDI Rule Time to 4/3 To Get More Input From Self-Insured Plans, TPAs

March 6, 2014

Third party administrators  (TPAs), self-insured health plans and concerned payers and plan sponsors now have a little more time to comment on the Department of Health & Human Services (HHS) proposed rule, “Administrative Simplification: Health Plan Certification of Compliance.”

HHS announced its extension to April 3, 2014 of the comment period today in specific hopes that it will receive additional comments from TPAs  and self-insured plans

The Certification of Compliance for Health Plans proposed rule is different from previous Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification regulations because it affects more and different types of entities.

For example, many third party administrators, self-funded health plans, and group health plans that have not been impacted by previous HIPAA Administrative Simplification requirements will be affected by this rule, even if they do not directly conduct HIPAA covered transactions.

As proposed, the proposed rule would require controlling health plans to submit documentation on or before December 31, 2015. It would also establish penalty fees for a controlling health plan that fails to comply with the Certification of Compliance requirements.

HHS says that the goal of the extension of the comment period is to provide these entities with time to understand and offer feedback on the business impacts of the Certification of Compliance proposed rule. HHS encourages these entities to submit feedback so that their comments and suggestions can be considered during the policy-making process.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on HHS Extends Proposed EDI Rule Time to 4/3 To Get More Input From Self-Insured Plans, TPAs | Employers, Health Plans, HIPAA, Human Resources, Insurance, MEWA | Tagged: , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

New OCR Guidance Assigns More HIPAA Homework Health Plans, Providers, Business Associates and Employers

March 5, 2014

Think your health plan, health care organization, health care clearinghouse or their business associates has health care privacy covered?  Think again.

A series of supplemental guidance issued by the Department of Health & Human Services Office of Civil Rights (OCR) in recent weeks is giving health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates even more to do in reviewing and updating their policies, practices and training for handing protected health information (PHI) beyond bringing their policies and practices into line with OCR’s restatement and update to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act since the Omnibus Final Rule took effect on March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Meanwhile, the Omnibus Final Rule generally has required business associates have updated business associate agreements in place and otherwise to have come into compliance with all of the applicable requirements of the Omnibus Final Rule since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on New OCR Guidance Assigns More HIPAA Homework Health Plans, Providers, Business Associates and Employers | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Dermatology Practice To Pay $150K To Settle Charges It Breached HIPAA Breach Notice Rule

December 26, 2013

A new settlement agreement announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) shows health plans, health care providers, health care clearinghouses and their business associates the perils of failing to properly implement the necessary policies and procedures to comply with the breach notification requirements added to the Health Insurance Portability & Accountability Act of 1996 (HIPAA) added by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

Private dermatology practice,, Adult & Pediatric Dermatology, P.C., (APDerm) has agreed to pay $150,000 and implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy,  Security, and Breach Notification Rules.  The APDerm Setttlement  marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act.

According to its December 26, 2013 announcement of the settlement, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The APDerm settlement provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On WebsiteIt joins the  growing list of settlement or resolution agreements under HIPAA announced by OCR.

The APDerm also is notable both as it settles the first ever charges against a covered entity for failing to adopt required Breach Notification policies and procedures and the relatively most settlement payment required in comparison to other announced settlement.  Other settlements have been significantly higher.  For instance,  OCR required that Blue Cross Blue Shield of Tennessee (BCBST) to pay $1.5 million to resolve HIPAA violations charges.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s audit,  investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, evolving rules and technology, and other developments to determine if additional steps are necessary or advisable. For tips, see here.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

For the past two years, Ms. Stamer has served as the  scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR.   Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here.

©2013 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press, Inc.   All rights reserved.

Comments Off on Dermatology Practice To Pay $150K To Settle Charges It Breached HIPAA Breach Notice Rule | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Careful Selection & Contracting With Vendors Critical Part of Health Plan Renewals

October 8, 2013

In the rush to finalize their health plan designs, contracts and documents for the upcoming 2014 plan year, employer and other health plan sponsors and fiduciaries should use care to review their insurance, broker, administrator and other health plan vendor agreements and vendor-provided plan documents, communications and processes to verify that vendor agreements and the plan designs, documentation, communications and processes they put in place appropriately hold service providers accountable, are legally compliant, appropriately tailored to defensably administer the plan in accordance with expectations, implement appropriate fiduciary and other performance and risk allocations and manage other exposures.

Many employer and other plan sponsors unknowingly expose themselves and management personnel participating in plan related decision-making to liability and costs by allowing costs or personality preferences to guide their vendor choices, rather than conducting a well-documented prudent review of their brokers and consultants, health plan insurers and  other service providers, their bonding and other credentials, and the vendor-recommended plan designs, documentation, communications, credentials and processes.

Careful Vendor Selection & Contracting Foundation of Health Plan Compliance & Risk Management

As an initial matter, employers or others selecting plan vendors generally need to credential service providers to manage exposures under the fiduciary responsibility rules of the Employee Retirement Income Security Act of 1974 (ERISA). The fiduciary responsibility rules of ERISA generally impose upon the employer, member of its management or other parties possessing or exercising discretionary authority or control over the selection of plan service providers or vendors legal responsibility for the prudent selection and oversight of the service providers, their bonding and other credentials. Failing to conduct and keep documentation of this critical review can expose those participating in the vendor selection process to personal liability if plan funds or administration are mishandled as a result of the improper selection and oversight of the vendor.

Second, even when a vendor has a great reputation and credentials, employers or others also should carefully review the plan documentation, agreements, and communications provided by their brokers, administrative services providers, insurers and other health plan service providers to confirm that these materials are legally compliant, properly reflect the plan sponsors’ expectations about the plan terms, costs, and obligations, and otherwise designed to protect the employer’s goals and interests.  While most plan sponsors and their management assume that the arrangements put in place by their broker, consultant or other service provider will take the necessary steps to properly document and implement the plan design, inadequacies in plan documentation, communications, administrative forms, processes and even plan design are common.

Even where plan vendors and advisors have the best of intentions, plan designs and documentation often fail to comply with applicable federal mandates, incorporate undesirable terms, or incorporate other provisions or deficiencies that unnecessarily leave the plan sponsor or members of its management exposed to avoidable fiduciary responsibility and liability for actions that the service provider is being paid to perform, exculpate vendors from liability for failing to competently perform responsibilities, expose the plan or its sponsors to unnecessary penalties or other costs, have other weaknesses that leave the sponsor or its management exposed to significant costs, liabilities or both.

For these reasons and others, employer and other plan sponsors should make time to conduct a well-documented documented review of the fiduciary eligibility, bonding and other credentials, services agreements, plan documentation, communications, processes, and procedures proposed by their health plan vendors before finalizing vendor selections and implementing those documents.

Credentialing & Vendor Contracting Tips

To help determine the scope of review and risk, most employer or other plan sponsors and their management will find it helpful to begin by critically evaluating the credentials and contracts of the health plan brokers, consultants and service providers.  This review should both verify these advisors have the bonding and other legal credentials to qualify to perform the role desired under ERISA, the scope of services and accountability undertaken by the service providers, and the responsibilities for which the employer or other appointing party will continue to bear for the proper documentation and administration of the plan after hiring these vendors.

The following are some basic guidelines that management or others making health plan vendor and design decisions generally will want to consider and document as part of their analysis when reviewing proposed health plan vendors and the plan designs, documentation, communications and procedures.

  • A formal background check performed with the consent of the service provider should prove that the service provider and all of its employees and agents should be qualified to serve in a fiduciary role, are not disqualified or under investigation or other action that would disqualify them to act as a fiduciary or be bonded as required by ERISA, have no material complaint or dispute history with current or former clients or vendors, the Department of Labor, Department of Insurance, Internal Revenue Service or other relevant authorities, and have appropriate licensure, certifications, experience and reputation.
  • The service provider and its employees should enjoy an excellent reputation, verified by both broad background checks and detailed reference checks with both current and former clients, including clients who are not necessarily on the official reference list provided by the prospective service provider.
  • The service provider, its team, processes and procedures should have a history and currently be financially and operationally sound with significant experience and ability in the area.
  • The service provider should possess and be able to provide appropriate documentation of licensure, bonding, certifications and other credentials.
  • Due diligence should verify that the service provider has the skill, equipment, staff, procedures, processes, qualifications and other capabilities to properly and reliably perform the tasks contemplated prudently and in accordance with applicable legal responsibilities.

Beyond credentialing the service provider and its personnel, a plan sponsor or other party participating in the selection of a service provider or its recommended plan designs or services also should critically review the proposed services agreement to verify that it properly protects the expectations and interests of the plan sponsor, its plan fiduciaries and other associated parties participating in the plan design and vendor selection process.  Among other things, a review of the contract generally should verify that the following criteria are met:

  • The contract should clearly document the scope of plan services that the service provider will provide under the agreement, the services that the service provider will not provide, and the services that the service provider only will provide at an additional charge, all charges and other requirements, and any other material expectations.
  • The contract should require the service provider to deliver plan services prudently in a manner that delivers the desired health benefits in a manner consistent with the purposes that justify the plan sponsor’s continued provision of the health benefits in accordance with the legal, operational, benefit and cost parameters applicable to the employer and its plan
  • The contract should provide plan services in a manner consistent with the plan sponsor’s overall plan design and related business practices.
  • The contract should deliver plan services in a manner consistent with the federal and state tax, labor, health care, contractual and other legal obligations applicable to the plan sponsor.
  • The contract should document the bonding, liability insurance, credentials and other qualifications of the service provider and require notification and appropriate recourse in the event of a material change in those credentials.
  • The contract should adequately minimize the exposure of the plan sponsor to legal liabilities arising from its participation in the contract, including fiduciary liability, vicarious liability, corporate negligence, and contractual liability.
  • The contract should establish and document the framework for an effective working relationship.
  • The contract should establish and document clear performance obligations applicable to the parties; the way compliance will be measured; and the consequences of any breach of those obligations.
  • The contract should incorporate the necessary provisions to fulfill the business associate agreement and other requirements concerning the creation, use, protection, access and disclosure of personal health information and other sensitive information about plan participants, beneficiaries and their costs needed to comply with the privacy and data security requirements of the Health Insurance Portability & Accountability Act privacy, security, breach notification, accounting and other individual rights, and business associate rules as updated in new regulations published in 2013 by the Office of Civil Rights.
  • The contract should provide access to necessary information including all records necessary to monitor and defend the plan, its design and administration, its compliance and prudent administration, including all disclosure, audit and reporting requirements.
  • The contract should define the breach notification and dispute resolution procedures, if any, that apply to disputes between the parties in a manner that does not unduly prejudice the plan sponsor’s ability to administer the plan; fulfill its legal obligations to covered persons and relevant regulators, or conduct other business activities.
  • The contract should clearly document the relationship between the standard plan provisions and the managed care procedures as well as fiduciary responsibility and accountability for, appropriately updated to comply with updated claims, appeals, and independent review organization requirements implemented since the enactment of the Patient Protection & Affordable Care Act,   This should include a discussion regarding the extent to which the plan’s standard utilization, precertification, and medical necessity review procedures, coverage limitations and exclusions, proof of loss, and other provisions or replaced for care obtained under the managed care plan, as well as procedures and liability for deficiencies in administration resulting in liability to contracted physicians under managed care contracts pursuant to state law, loss of discounts, penalties or stop-loss coverage resulting from errors in administration and other federal and state liability risks of the plan, its fiduciaries and the employer.
  • The contract should require a third party administrator (TPA_ ensure that its provider contracts do not contain terms or provisions (other than as intended by the plan sponsor) that would undermine the enforceability of the plan sponsor’s benefit design.
  • The contract should require the service provider to ensure that contracting providers understand that their entitlement to payment or benefits depends upon satisfaction of all applicable terms and conditions of the plan and incorporate procedures to ensure the enforceability of these commitments.
  • The contract should bind the service provider to change its procedures in response to changes in the law or regulations that may be adopted from time to time.
  • The contract, if applicable, should require prudent processes to verify eligibility, coordinate coverage and perform other required functions.
  • The contract should include terms that preserve the subrogation rights of the plan.
  • The contract should require the TPA to warrant its authority to bind contracting providers and other parties whose cooperation and performance is required under the contract as part of the package of services to be delivered under the TPA’s proposal.
  • The contract should require the service provider to warrant that its agreement with other contracting providers does not conflict with the terms of the contract and ensures that these related providers are bound to perform in the manner contemplated by the contract.
  • The contract should require the service provider to perform all duties to prudently and in accordance with the law and hold the service provider legally accountable for liabilities and costs resulting from its omission to do so.
  • The contract should incorporate all performance guarantees including suitable accountability for noncompliance.
  • The contract should keep the right of the plan sponsor or fiduciary to terminate the vendor where prudent or otherwise legally required to fulfill responsibilities without inappropriate restrictions inconsistent with legal or operational responsibilities.
  • The contract should require appropriate indemnification or other accountability for non-performance with legal or other requirements and expectations.
  • The contract should include appropriate provisions to preserve access to plan administration and associated data as necessary to monitor plan costs, make future design decisions, and administer the plan and associated responsibilities even in the event of a termination of the vendor relationship.

While the credentialing questions and processes don’t eliminate all health plan related risks, they can help eliminate and manage many common legal and operational risks that often arising from health contracts and can help position an employer and members of its management to mitigate other potential exposures.   The benefits of this careful credentialing and contract should be carried forward by careful crafting of plan documents and communications to match the allocations of responsibilities decided upon in the contracting process, the use of appropriate procedures to ensure that the appointed party handles those responsibilities and their associated communications, and the proper coordination of responses to potential problems in a manner that provides for defensible administration without blurring carefully crafted fiduciary and other role assignments.

In some instances, it may not be possible to secure the ideal contractual provisions.  When this occurs, the documentation of the negotiations and the analysis of the advisability of proceeding with the contract, including any prudent backup arrangements needed to justify continuation should be maintained.  Too often, brokers and consultants disparage contract negotiation and review recommendations of legal counsel by suggesting this is standard in the industry or that the request for negotiation and review suggests some lack of experience or other improper expectation by legal counsel or others suggesting the review.  Such suggestions should be carefully scrutinized.  While ideal provisions cannot always be obtained, it is rare that some improvement in the agreements is not possible.  Even where this progress is not obtained, however, existing judicial and Labor Department enforcement clearly shows that the process of prudent review and analysis of proposed vendors and services is a required and necessary element of the vendor selection process for which parties making the decisions may face liability if they cannot prove the selection or retention was prudently conducted.

For Help or More Information

 If you need help understanding or dealing with reviewing or negotiating your vendor agreements, or  with other 2014 health plan decision-making or preparation, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals. A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, HR.com, Insurance Thought Leadership, Solutions Law Press, Inc. and other publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations. She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications. Her widely respected publications and programs include more than 25 years of publications on health plan contracting, design, administration and risk management including a “Managed Care Contracting Guide” published by the American Health Lawyers Association and numerous other works on vendor contracting.  You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here .  You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Recent examples of these publications include:

For important information about this communication click here.

©2013 Cynthia Marcotte Stamer.  Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on Careful Selection & Contracting With Vendors Critical Part of Health Plan Renewals | Employee Benefits, Employers, Health Plans, HIPAA, Human Resources, Patient Protection and Affordable Care Act | Tagged: , , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Exchange Enrollment Kicks Off Plagued By Government Shutdown, Other Challenges

October 1, 2013
Despite a showdown in Congress about health care reform’s future that threatens to bring funding of the U.S. government to a halt and a host of recent security and other concerns about the security and operational readiness of its enrollment platform and details of the implementation of the marketplaces in many states that will provide the offered coverage, the Obama Administration is touting today, October 1, 2013, as the first day that Americans can apply for enrollment in coverage offered through the health insurance exchanges that the Obama Administration prefers to refer to as “Marketplaces” slated to take effect under the Patient Protection & Affordable Care Act (ACA).

Obama Administration Touts October 1 Kickoff As New Age of Health Care

In a post shared across social media today,U.S. Department of Health and Human Services (HHS) Secretary Kathleen Sebelius announces, ” HealthCare.gov is open for business. Share this and let your friends and family know they can #GetCovered today at www.healthcare.gov!”   In yet another post, Ms. Sebelius proclaims:  See also http://www.hhs.gov/news/press/2013pres/10/20131001a.html.

“For the first time ever, today all Americans can begin shopping for quality health coverage that is affordable, and not be denied or charged more because they have a pre-existing condition.

The Health Insurance Marketplace is a new, simpler way for uninsured Americans and their families to purchase health insurance in one place.  Coverage begins as early as January 1, 2014 for people enrolling by December 15, 2013.   Today also marks the kick-off of outreach and enrollment activities in communities nationwide.  Enrollment events will take place in a variety of local settings including public libraries, churches, festivals, sports events, and community meetings.” 

Shutdown, Other Issues Raise Concerns

Ironically, while HHS continues to cheer its actions to implement ACA, a host of concerns cloud its implementation, including a federal government shutdown that also took effect October 1, 2013 as a result of a Congressional battle over the future of ACA and its funding.  Over the weekend, the Senate refused to approve legislation passed by the House that would have provided for continued funding of U.S. government activities while denying funding and delaying provisions of ACA.  Leaders in the Republican controlled House have indicated the House will not pass a budget without the carve out of funding and delay of ACA implementation.  The dispute means that Congress has not approved continuing funding from the U.S. budget of the monies necessary for continued operations of many government functions, including HHS support for implementation of ACA and its enrollment.  As a result, while HHS continues to bombard the media and social media with announcements touting enrollment, the main page of its website posts the following announcement in bright red text:

“Due to the lapse in government funding, only web sites supporting excepted functions will be updated unless otherwise funded.  As a result, the information on this website may not be up to date, the transactions submitted via the website may not be processed, and the agency may not be able to respond to inquiries until appropriations are enacted. …

ATTENTION – HIGH VOLUME OF MEDIA REQUESTS

We are experiencing a high volume of media requests about the Affordable Care Act and the Health Insurance Marketplaces. If you are a reporter, we have assembled these tools to help you:

  1. First try HealthCare.gov, which has comprehensive information about the Health Insurance Marketplace here.
  2. At the start of Open Enrollment, watch for media advisories for the Centers for Medicare & Medicaid Services’ regular operational updates for reporters. The first update will be held as a conference call on the afternoon of Oct. 1. HHS will post transcripts of these briefings in the HHS Newsroom.
  3. Email our media team here. If you have already contacted CMS’ media relations team, then HHS already has your request, and there is no need to email both agencies. Please be as specific as possible about your request and deadline.”

Beyond the government shutdown, other issues remain.  Last month, HHS released a HHS Office of Inspector General Report that raises concerns about the adequacy of the electronic security of the portal that will be used to register and apply for enrollment through the site.  See Observations Noted During The OIG Review Of CMS’s Implementation Of The Health Insurance Exchange—Data Services Hub.  A host of other problems and concerns also have been reported.  See e.g., Obamacare’s Insurance Exchange “Glitches” – The Foundry; Document Management Problems in New Insurance Markets Feds ; ObamaCare ‘glitch‘ watch: Exchange site posts error messages; D.C.’s Obamacare fail: Prices won’t work until NovemberObamaCare’s scope, rocky intro signals problems for Tuesday’s start.

As the January 1, 2014 promised commencement of coverage and individual mandates loomed, the Obama Administration’s delay of employer mandates while leaving individual mandate penalties against individuals who fail to purchase coverage, reports of employers cutting jobs, employee health coverage, or both, highly debated concerns about the cost, quality of coverage and other issues are fueling a showdown again in Congress, as many Americans grow increasingly concerned about what lies ahead.Are you concerned about whether health care reform preparations are on track or have other health care policy concerns.  With the debate continuing to rage, many individuals and employers are watching carefully, as the debate holds funding of other key aspects of government operations hostage.

Join the discussion about health care reform and share your input by joining Project COPE: Coalition for Patient Empowerment here.

About Project COPE: The Coalition On Patient Empowerment & Its  Coalition on Responsible Health Policy

Sharing and promoting the use of practical practices, tools, information and ideas that patients and their families, health care providers, employers, health plans, communities and policymakers can share and offer to help patients, their families and others in their care communities to understand and work together to better help the patients, their family and their professional and private care community plan for and manage these  needs is the purpose of Project COPE, The Coalition on Patient Empowerment & It’s Affiliate, the Coalition on Responsible Health Policy.

The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans.  The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch.  Americans can best improve health care by not waiting for someone else to step up:  Step up and help bridge the gap when you or your organization can. Speak up to help communicate and facilitate when you can.  Building health care neighborhoods filled with good neighbors throughout the community is the key.

The outcome of this latest health care reform push is only a small part of a continuing process.  Whether or not the Affordable Care Act makes financing care better or worse, the same challenges exist.  The real meaning of the enacted reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye.  Americans individually and collectively clearly should monitor and continue to provide input through this critical time to help shape constructive rather than obstructive policy. Regardless of how the policy ultimately evolves, however, Americans, American businesses, and American communities still will need to roll up their sleeves and work to deal with the realities of dealing with ill, aging and disabled people and their families.  While the reimbursement and coverage map will change and new government mandates will confine providers, payers and patients, the practical needs and challenges of patients and families will be the same and confusion about the new configuration will create new challenges as patients, providers and payers work through the changes.

We also encourage you and others to help develop real meaningful improvements by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. The Coalition For Responsible Health Care Policy provides a resource that concerned Americans can use to share, monitor and discuss the Health Care Reform law and other health care, insurance and related laws, regulations, policies and practices and options for promoting access to quality, affordable healthcare through the design, administration and enforcement of these regulations.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here .  You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Recent examples of these publications include:

For important information about this communication click here.

©2013 Cynthia Marcotte Stamer.  Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.

Comments Off on Exchange Enrollment Kicks Off Plagued By Government Shutdown, Other Challenges | Employee Benefits, Employers, Health Plans, HIPAA, Human Resources, Patient Protection and Affordable Care Act | Tagged: , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

HHS Share Model HIPAA Notices 1 Week Before Deadline For Updating Business Associate Agreements

September 16, 2013

A week before the September 23, 2013 deadline for all health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates to have updated their business associate agreements to comply with the Final Omnibus HIPAA Rule, the Department of Health & Human Services Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) today (September 16, 2013) released Model Notices of Privacy Practices (Notices) for health care providers and health plans to use to communicate with their patients and plan members. With penalties and enforcement continuing to rise, Covered Entities and their business associates should take appropriate steps to review and update their privacy and breach notification policies and procedures, privacy officer appointments, notices of privacy practices, business associate agreements and other HIPAA compliance and risk management documentation, practices, procedures and coverage, breach notification and other HIPAA compliance and risk management practice.

Model HIPAA Notices

Developed collaboratively by ONC and OCR the Notices available here designed in the following three different styles are designed for users to customize to fit their specific needs and practices:

  • A notice in the form of a booklet;
  • A layered notice with a summary of the information on the first page and full content on the following pages; and
  • A notice with the design elements of the booklet, but that is formatted for full-page presentation.

Use of these model Notices is optional.  While the agencies designed the Notices to let Covered Entities to use these models by entering some of their own information into the model, such as contact information, and then printing for distribution and posting on their websites, Covered Entities should consult with legal counsel to determine the suitability of the Notices generally for their entity’s use and any customization, if any, that may be recommended or required to a Notice if the Covered Entity decides rely upon a model Notice to prepare its Notice of Privacy Practices.  To facilitate any tailoring, the agencies provided a text-only version for Covered Entities wishing only wish to use the content with or without tailoring.

September 23 Business Associate Agreement Update Deadline

September 23, 2013 also is the final deadline established in the Final Omnibus HIPAA Rule for Covered Entities and their business associations to update the business associate agreements required by HIPAA to reflect application of the breach notification, business associate, and many of HIPAA’s requirements to directly cover business associates and other aspects of the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted as part of the American Recovery and Reinvestment Act of 2009.  While HHS published a Sample Business Associate Agreement last June to aid Covered Entities and their business associates with understanding the business associate agreement requirements as impacted by the Omnibus Final HIPAA Rule, it also made clear that Covered Entities and their business associates should tailor their business associate agreements to fit their specific circumstances and relationships.  OCR National Office and regional officials speaking about their findings about past business associate agreement compliance have indicated that their audit and enforcement activities show widespread compliance issues among Covered Entities and business associates with the original business associate agreements.  OCR clearly expects Covered Entities and their business associates to address and resolve these compliance issues going forward.

Covered Entities and their business associates are increasingly at peril if caught violating HIPAA’s Privacy, Security or Breach Notification rules.  With the HITECH Act Breach Notification rules now requiring Covered Entities to self-disclose breaches, OCR becomes aware of breaches much more easily.  Coupled with the HITECH Act’s increase in sanctions for HIPAA violations, Covered Entities and, beginning September 23, 2013, their business associates face rising risks for violating HIPAA.  See, e.g. HHS Settles with Health Plan in Photocopier Breach Case; WellPoint Settles HIPAA Security Case for $1,700,000; Shasta Regional Medical Center Settles HIPAA Security Case for $275,000; Idaho State University Settles HIPAA Security Case for $400,000; and HHS announces first HIPAA breach settlement involving less than 500 patients.

In response to the updated Final Regulations and these expanding HIPAA enforcement and exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable.   In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For Help or More Information

If you need assistance responding to HIPAA or other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement actions; with 2014 health plan decision-making, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer for help.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer is widely recognized for her extensive work, publications, and thought leadership on HIPAA and other privacy and data security issues.  Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer’s experience includes extensive work advising, representing and training health plan, health insurance, health IT, health care and other clients on HIPAA and other privacy, data protection and breach and other related matters and represents and advises these and other clients in responding to OCR Privacy and Civil Rights and other HHS agencies, Labor Department, IRS regulations, investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.  She also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications.

Beyond her HIPAA involvement, Ms. Stamer also continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, HR.com, Insurance Thought Leadership, Solutions Law Press, Inc. and other publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C. 

Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved.

[*] On January 24, 2013, the Department of Labor (the Department) issued guidance stating the Department’s conclusion that the notice requirement under FLSA section 18B will not take effect on March 1, 2013 for several reasons until further guidance setting the extended deadline was published.

Comments Off on HHS Share Model HIPAA Notices 1 Week Before Deadline For Updating Business Associate Agreements | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

IRS Publishes Final Health Reform Individual Shared Responsibility Rules

September 1, 2013

Starting in 2014, the Individual Shared Responsibility mandate of the Patient Protection & Affordable Care Act (ACA) dictates that each individual American either have minimum essential coverage for each month, qualify for an exemption, or make a payment when filing his or her federal income tax return.  In anticipation of the implementation of this Individual Shared Responsibility mandate, the Department of the Treasury and the Internal Revenue Service (IRS) published final regulations implementing the Individual Shared Responsibility mandate in the Internal Revenue Code. The guidance contained in these final regulations provide each American with critical information about their families’ potential exposure to liability for the individual shared responsibility tax in 2014 as well as key insights for employers.  Solutions Law Press, Inc.  authors are finalizing various articles on certain key aspects of these new regulations for publication over the next few days. Stay tuned for more details!

For each month beginning after December 31, 2013, Internal Revenue Code Section 5000A’s Individual Shared Responsibility mandate requires that individual Americans either qualify as exempt, maintain minimum essential coverage for themselves and any nonexempt family members, or pay an individual shared responsibility payment when paying their Federal income tax return.  A taxpayer will be obligated to pay the individual shared responsibility tax under Internal Revenue Code Section 5000A for any non-exempt individual the taxpayer claims on his or her individual tax return as a dependent who is not exempt or enrolled in minimum essential coverage.

Under § 5000A(f)(2), minimum essential coverage includes coverage under an eligible employer-sponsored plan.

The final regulations set the rules that the IRS will use to decide when an individual American will become liable for paying the tax imposed by ACA for failing to maintain the minimum required health insurance coverage mandated by ACA beginning January 1, 2013 and other related rules.  While specifically addressing the obligations of individual Americans to pay the Individual Shared Responsibility payment, the final rules coupled with the availability of the new option for individual Americans to buy coverage through an ACA-qualified federal health care exchange and, depending on the adjusted household income of the individual, potentially also to receive tax credits for enrolling in coverage through an exchange is likely to impact the enrollment choices that employed individuals make about enrolling in coverage offered by their employer versus in coverage through a federally qualified health insurance exchange.  Accordingly, both individual Americans and the businesses that employ them should act quickly to understand the key aspects of the final regulations and their implications.

When considering the effect of these final regulations, employers and individual Americans should keep in mind that Notice 2013-42, issued on June 26, 2013, provides limited transition relief from the Individual Shared Responsibility mandate for employees and their families who are eligible to enroll in certain employer-sponsored health plans with a plan year other than a calendar year if the plan year begins in 2013 and ends in 2014. For additional information on the Individual Shared Responsibility provision, the final regulations and Notice 2013-42, see the IRS questions and answers.

Coming slightly less than a month before the October 1, 2013 scheduled opening of the first enrollment period for individual Americans to enroll in health care coverage through a federally qualified health insurance exchange created pursuant to ACA and the deadline for employers to deliver the notice of the availability of this option dictated by Fair Labor Standards Act 18B,  the final regulations and Obama Administration’s announced plans to enforce its provisions has drawn criticism from a number of groups.  While the Obama Administration has indicated that it still plans to enforce the Individual Shared Responsibility mandate against individual Americans, it announced in July, 2013 that it would delay enforcement of the Employer Shared Responsibility Mandate rules of Internal Revenue Code Section 4980H until 2015.  Many consumer rights groups and others are arguing that the Administration should also delay its enforcement of the Individual Shared Responsibility Mandate in light of its delay of enforcement of Internal Revenue Code Section 4980H against businesses.   Pending a reversal of its position or Congressional relief, the final regulation signal to individual Americans and their employers to prepare to deal with the new Individual Shared Responsibility Mandate beginning in January, 2014.

While the delay in enforcement of the Section 4980H employer shared responsibility payment until 2015 means that employers will not incur liability for failing to provide coverage meeting the minimum essential coverage, minimum value and affordability standards of Internal Revenue Code Section 4980H, the impending implementation of the Individual Shared Responsibility mandate of Internal Revenue Code Section 5000A and the impending availability of tax credits for certain individuals with Household Adjusted Gross Incomes of less than 400 percent of the poverty level almost certainly will influence enrollment decisions that employees make concerning coverage offered by their employer, if any.  Employers  can expect that employee choices about enrolling in employer-sponsored group health coverage will be influenced by the impending obligation to enroll in coverage or pay the individual shared responsibility tax in 2014 governed by the final regulations.  Employers can expect that employee concern about these exposures will prompt many employees to carefully scrutinize and in some cases question the information and implications of information provided by the employer or its plan such as the Section 18B notice that employers must provide by October 1, 2013, the summary of benefits and coverage (SBC) that the Affordable Care Act obligations the employer or plan to provide as the employees work to sort out their choices.  As these and other plan communications are likely to face significant scrutiny, employers and their employee benefit plan fiduciaries and administrators should use extra care to ensure that these and other plan documents and communications are carefully and precisely tailored to accurately convey all material plan terms.

For Help or More Information

If you need help understanding or dealing with these impending notification requirements, with other 2014 health plan decision-making or preparation, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, HR.com, Insurance Thought Leadership, Solutions Law Press, Inc. and other publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C. 

Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved.

[*] On January 24, 2013, the Department of Labor (the Department) issued guidance stating the Department’s conclusion that the notice requirement under FLSA section 18B will not take effect on March 1, 2013 for several reasons until further guidance setting the extended deadline was published.

Comments Off on IRS Publishes Final Health Reform Individual Shared Responsibility Rules | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Impending 10/1 Exchange Notice & Other New Notice Deadlines Cut Time Short For Employers To Finalize 2014 Health Plan Terms & Contracts

August 21, 2013

Employer and union group health plan sponsors and insurers of group and individual health plans (Health Plans) agonizing over 2014 plan design decisions are running out of time. Impending deadlines to update and deliver the initial Exchange Notice by October 1, 2013, the Summary of Benefits and Communications (SBC) disclosure before their next enrollment period begins, and 60-day prior notice of material reductions in benefits or services under the plan mandated by the Patient Protection and Affordable Care Act (ACA) require employers or other sponsors to finalize design decisions and amendments well in advance of January 1, 2014.  These new notification obligations create added urgency and pressure for Health Plans and their employer and other sponsors to finalize and implement their decisions on their Health Plans 2014 plan designs and coverages and make the necessary determinations to prepare and timely deliver the required notifications in accordance with these new notification mandates well before the start of the 2014 plan year or its enrollment period. Employers who in the past have put off these decisions until the last month of the plan year no longer can legally do so.

ACA Exchange Notices Due By October 1

One of the biggest time constraints for finalizing 2014 plan designs, contracts and terms is the impending October 1, 2014 deadline for employers to provide the notice required by Fair Labor Standards Act Section 18B.

Regardless of if the employer sponsors a health plan or when the next plan enrollment period begins, all employers covered by the FLSA generally are required deliver a notice to employees about the new option beginning January 1, 2014 to get health care coverage through a health care exchange (now rebranded by the Obama Administration as a “Marketplace”)(Marketplace) created by ACA that meets the requirements of new FLSA Section 18B enacted Section 1512 of ACA.

Absent a delay or other reprieve from the Obama Administration or Congress,  Open enrollment for health insurance coverage through the Marketplace begins October 1, 2013.  Individuals and employees of small businesses beginning October 1, 2013 can apply for and, beginning January 1, 2014 to buy health care coverage offered through the Marketplace established under ACA for their state (including the Federal Marketplace for states that did not elect to establish their own Marketplace). Some individuals who earn less than 400% of the federal poverty level and meet certain other conditions also are slated to qualify to receive federal subsidies that will pay all or part of the cost of buying coverage through a Marketplace.

To promote awareness among employees of the Marketplace as an option for getting health coverage, creates a new FLSA Section 18B requiring a notice (Exchange Notice) to employees of coverage options available through the Marketplace.  Originally required by March 1, 2013,[*] the Department of Labor (DOL) extended the deadline for providing the Exchange Notice to October 1, 2013.  Employers must provide a notice of coverage options to each employee, regardless of plan enrollment status (if applicable) or of part-time or full-time status. Employers are not required to provide a separate notice to dependents or other individuals who are or may become eligible for coverage under the plan but who are not employees.

All FLSA-Covered Employers Must Provide Exchange Notices Beginning October 1, 2013

Under FLSA Section 18B of the FLSA, each applicable employer must provide each employee at the time of hiring (or with respect to current employees, by October 1, 2013), a written notice that fulfills the applicable Exchange Notice requirements as set forth in the DOL Regulations.

The FLSA section 18B requirement to provide a notice to employees of coverage options applies to all   employers subject to the FLSA. In general, the FLSA applies to employers that employ one or more employees who are engaged in, or produce goods for, interstate commerce. For most firms, a test of not less than $500,000 in annual dollar volume of business applies. The FLSA also specifically covers the following entities: hospitals; institutions primarily engaged in the care of the sick, the aged, mentally ill, or disabled who reside on the premises; schools for children who are mentally or physically disabled or gifted; preschools, elementary and secondary schools, and institutions of higher education; and federal, state and local government agencies.  Employers questioning whether their business is subject to the FLSA should seek the assistance of legal counsel experienced with the FLSA.

Timing and Delivery of Notice

Employers are required to provide the Exchange Notice to each new employee at the time of hiring beginning October 1, 2013. For 2014, the Department will consider a notice to be provided at the time of hiring if the notice is provided within 14 days of an employee’s start date.

For employees who are current employees before October 1, 2013, employers must provide the Exchange Notice no later than October 1, 2013.

The Exchange Notice must be provided in writing in a manner calculated to be understood by the average employee. Employers may deliver the Exchange Notice by first-class mail or, if the electronic notification requirements of the Department of Labor’s electronic disclosure safe harbor at 29 CFR 2520.104b-1(c) are met, electronically.

Required Content of Exchange Notice

The Exchange Notice content mandated by FLSA Section 18B is fairly limited.  Section 18B requires that the Exchange Notice only dictates three required elements:

  • Inform employees of coverage options, including information about the existence of the new Marketplace as well as contact information and description of the services provided by a Marketplace;
  • Inform the employee that the employee may be eligible for a premium tax credit under Section 36B of the Code if the employee purchases a qualified health plan through the Marketplace; and
  • Include a statement informing the employee that if the employee purchases a qualified health plan through the Marketplace, the employee may lose the employer contribution (if any) to any health benefits plan offered by the employer and that all or a portion of such contribution may be excludable from income for Federal income tax purposes.  At minimum, this generally requires that the Exchange Notice distributed by an employer must inform the employee.

Interim DOL guidance implementing these requirements construes the content requirements as requiring that the Exchange Notice tell the employee:

  • Of the existence of the Marketplace (referred to in the statute as the Exchange) including a description of the services provided by the Marketplace, and the way the employee may contact the Marketplace to request assistance;
  • That the employee may be eligible for a premium tax credit or subsidy under Section 36B of the Internal Revenue Code (the Code) if the employee purchases a qualified health plan through the Marketplace and the employer does not offer coverage to the employee under a group health plan that is considered to provide “Minimum Value” for purposes of ACA; and
  • That if the employee purchases a qualified health plan through the Marketplace, the employee may lose the employer contribution (if any) to any health benefits plan offered by the employer and that all or a portion of such contribution may be excludable from income for Federal income tax purposes.

Allow Adequate Time To Do Analysis, Complete Other Steps To Prepare Exchange Notices

Employers should resist the urge to allow the shortness of the list of information required that FLSA Section 18B requires in the Exchange Notice lure them into underestimating the time and effort required to prepare the Exchange Notification.  For many employers, determining if the Health Plan provides Minimum Value can be time-consuming and complex.

For this, the SBC notice discussed later in this update and other purposes, Code Section 36B(c)(2)(C)(ii) provides that an employer-sponsored Health Plan provides Minimum Value if the ratio of the share of total costs paid by the Health Plan relative to the total costs of covered services is no less than 60% of the anticipated covered medical spending for covered benefits paid by a group health plan for a standard population, computed in accordance with the plan’s cost-sharing, and divided by the total anticipated allowed charges for covered benefits provided to a standard population is no less than 60%.  See Patient Protection and ACA: Standards Related to Essential Health Benefits, Actuarial Value, and Accreditation Regulation.

Existing regulations require the employers to get an actuarial certification to determine if its Health Plan provides Minimum Value unless the employer can show that the Health Plan fits the criteria to use and satisfies this test using either the Minimum Value Calculator or an applicable safe harbor design approved by HHS, Treasury and DOL.  These determinations often are time consuming and complex requiring careful review and analysis of the group health plan coverage and benefits.  Many self-insured or other group health plans have plan designs that prevent the employer from relying on the Minimum Value Calculator or design safe harbors.  If the employer cannot rely upon the Minimum Value Calculator or one of the design safe harbors, an actuarial certification will be needed.  Employers need to allow sufficient time to make these determinations in time to complete and deliver the Exchange Notices.

Employers should particularly expect to need to obtain an actuarial certification to determine if the Health Plan provides Minimum Value determination if the Health Plan is taking advantage of temporary relief from the cost sharing limitations of ACA for 2014 announced by the Obama Administration in February and reconfirmed in July, that for 2014 allows Health Plans to apply a separate ACA-compliant out-of-pocket maximum to prescription drug benefits from the ACA-compliant out-of-pocket maximum applied to all other benefits subject to ACA’s cost sharing restrictions.   Since the Minimum Value Calculator cannot take into account this option, however, employers planning to apply a separate out-of-pocket maximum for prescription drug coverage versus other plan benefits should be prepared to get an actuarial certification of whether the plan provides Minimum Value.

DOL Model Exchange Notices Not Panacea

Employers may want to use some or all of the language that the DOL included in Model Notices that DOL published in conjunction with its publication of interim guidance on FLSA Section 18B in Technical Release No. 2013-02 on May 8, 2013 here. Because employers must tailor the content of the Exchange Notice for their group health plan based on specific information about their group health plan, employers are cautioned not to underestimate the time or effort that will be required to properly prepare the Exchange Notice for their group health plan, whether or not the employer makes use of the Model Notices in whole or part.

DOL published three model exchange notices (Model Notices) to assist employers in preparing the Exchange Notice for their Health Plan for 2014. One Model Notice is intended for employers who do not offer a Health Plan.  The second Model Notice is designed for employers who offer a health plan to some or all employees. The third Model Notice is designed for employers to use to notify individuals who are enrolled or eligible to enroll in continuation coverage  under the Health Plan under the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA).   Technical Release No. 2013-02 says employers may use the applicable of these models or a modified version, provided the Exchange Notice meets the content requirements described above.

Despite the availability of these Model Notices, preparing and providing the required Exchange Notices required by Section 18B typically requires significant evaluation and presents a variety of challenges for most employers.  While intended to facilitate the ability of employers to prepare and provide the required Exchange Notices, preparing the Model Notices generally is challenging for many employers.

First, even using the Model Notices, the employer must decide if the Health Plan provides Minimum Value.

Another challenge with wholesale use of the Model Notices involves deciding how much of the optional language contained in the Model Notices to include in the Exchange Notice and what optional information, if any, to provide as part of that Notice.

For one thing, the Model Notices propose that the Exchange Notice include statements that many critics view as inappropriately promoting enrollment in coverage through the Marketplace rather than employer sponsored group health plans.  Critics complain, for instance that the Model Notice’s statement that the Marketplaces offer “one-stop shopping” that allows the employee to get coverage that the Model Notice states is more “affordable” are inaccurate or misleading. Many critics view the assertion that coverage obtained through the exchange is more “affordable” to be inaccurate as it does not take into account a comparison of the actual benefits and costs of the respective plan options and whether the employee can afford the typically richer (and therefore often more expensive) benefit packages ACA’s essential health benefits mandates require be included in coverage offered for sale through the Marketplaces and presumes that these higher costs will be defrayed by tax credits or subsidies that are only available if the employee earns less than 400% of the federal poverty level and is not offered the option to enroll in an employer sponsored group health plan coverage that provides “minimum essential coverage” (MEC) and Minimum Value and is “affordable” within the meaning of ACA.

Employers considering using the Model Notices also need to decide if their Exchange Notices will include the optional factual disclosures about their group health plan suggested in the Model Notices, but not required to fulfill the requirements of FLSA Section 18B.

The Model Notices propose that an employer also voluntarily provide a significant amount of other information about its group health plan that FLSA Section permits, but does not require that the Exchange Notice include.  The DOL says it designed the Model Notices to help employers to identify and disclose information that the DOL expects employees interested in the tax credit to subsidize the employee’s cost of enrolling in coverage through the Marketplace will need to get from employers to show eligibility.  DOL assumes that many employers might want to voluntarily provide this information in the Exchange Notice to avoid receiving a multitude of anticipated inquiries from employees interested seeking tax credits to subsidize their enrollment in coverage through the Marketplace.  Since collection the data necessary to make these optional disclosures can add significant complexity and time to the preparation of the Exchange Notice, employers should carefully weigh the pros and cons of making the optional disclosures.  The anticipated demand for this information has declined since the Obama Administration announced it plans to use an “honor system” approach to determine if individuals can claim eligibility for tax credit subsidies for buying coverage through the Marketplaces in 2014.  Meanwhile, the interim nature of the existing guidance on the Exchange Notice and other key aspects of ACA make it reasonable to expect further changes in the expected content of the Exchange Notice, ACA requirements that it is intended to communicate or both which could impact the need for or accuracy of these disclosures.  For this reason, employers should carefully consider whether and what optional disclosures to include in their Exchange Notices.

Don’t Forget To Notify COBRA Qualified Beneficiaries

Technical Release No. 2013-02 indicates that in addition to sending an Exchange Notice to employees, employers or their group health plan administrators also must notify COBRA eligible or enrolled individuals.

In general, under COBRA, an individual who was covered by a group health plan on the day before a qualifying event occurred may be able to elect COBRA continuation coverage upon a qualifying event (such as termination of employment or reduction in hours that causes loss of coverage under the plan). Individuals with such a right are called qualified beneficiaries. A group health plan must provide qualified beneficiaries with an election notice, which describes their rights to continuation coverage and how to make an election. The election notice must be provided to the qualified beneficiaries within 14 days after the plan administrator receives the notice of a qualifying event.

Technical Release No. 2013-02 says that the DOL considers the required disclosures for the Exchange Notice information to be disclosed to qualified beneficiaries and that the DOL is revising previously published model COBRA notices to incorporate this information.

DOL says in Technical Release No. 2013-02 that the group health plans can use the revised model COBRA election notice to satisfy the requirement to provide the election notice under COBRA including the disclosure of information required by FLSA Section 18B. The DOL cautions that as with the earlier model COBRA notices, in order to use this model election notice properly, the plan administrator must complete it by filling in the blanks with the appropriate plan information. Technical Release 2013-02 states that use of the model election notice, appropriately completed, will be considered by the Department of Labor to be good faith compliance with the election notice content requirements of COBRA.

ACA SBC Mandate Overview

In addition to the Exchange Notice requirement, the need to prepare and timely delivery the “Summary of Benefits and Coverage or “SBC”) required by ACA also pressures employers to finalize their health plan terms and contracts for 2014 as soon as possible.

ACA amended the Public Health Services Act (PHS) Section 2715, Employee Retirement Income Security Act (ERISA) Section 715 and the Internal Revenue Code (Code) Section 9815 to require that Health Plans and health insurance issuers provide a SBC and a “Uniform Glossary” that “accurately describes the benefits and coverage under the applicable plan or coverage” in a way that meets the format, content and other detailed SBC standards set for ACA as implemented by the Departments regulatory guidance. Like the Exchange Notice, proper preparation of the SBC requires determination of whether the Health Plan provides Minimum Value, as well as other detailed analysis of the plan terms and coverages to complete the other disclosures required in the SBC.

The Summary of Benefits and Coverage and Uniform Glossary Final Regulation  (Final Regulation) implementing this requirement published February 14, 2012 generally requires Health Plans at specified times including before the first offer of coverage under the Plan as well as following certain material changes to the Plan. For Health Plans providing group health plan coverage, FAQs About ACA Implementation (Part VII)[*] set the deadline for Health Plan to deliver a SBC as follows, while at the same time indicating that the Departments would not impose penalties on plans and issuers “working diligently and in good faith” to provide the required SBC content in an appearance consistent with the Final Regulations:

  • To covered persons enrolling or re-enrolling in an open enrollment period (including late enrollees and re-enrollees) as the first day of the first open enrollment period that begins on or after September 23, 2012; and
  • For individuals enrolling in coverage other than through an open enrollment period (including individuals who are newly eligible for coverage and special enrollees) as the first day of the first plan year that begins on or after September 23, 2012. See FAQs About ACA Implementation (Part VIII).

While the SBC doesn’t prohibit an employer from amending its Health Plan terms after the enrollment period begins, employers that change Health Plan terms or designs after distributing a SBC must incur the expense and effort to prepare and redistribute an updated SBC.  Accordingly, most Health Plans and their sponsors or insurers will want to finalize Health Plan terms before the enrollment period begins to avoid the need to and expense of sending updated SBCs as a result of a later change in Health Plan terms.

The Final Regulation and other existing guidance generally dictates that Health Plans follow a required template for providing the SBC and accompanying glossary. When publishing the Final Regulation, the Departments also published the required SBC template form (2013 SBC Template) and instructions for Health Plans to use to prepare and provide the required SBC for coverage beginning before January 1, 2014 and promised updated guidance and templates for use in providing SBCs for post-2013 coverage. While the Agencies clarified certain other details about the SBC rules, they did not materially change the required content or form of the 2013 SBC Template until their April 23, 2013 release of FAQs About ACA Implementation (Part XIV). See e.g. FAQs About ACA Implementation Part IX and Part X.

FAQ Part XIV Requires MEC and Minimum Value Disclosures In SBC

FAQs About ACA Implementation (Part XIV) published April 23, 2013 announces the updated required 2014 SBC Template that the Agencies are requiring to SBCs for periods of health coverage from January 1, 2014 to December 31, 2014.  Along with the 2014 SBC Template, the Agencies also published 2014 Sample Completed SBC, which provides an example of a SBC completed for a hypothetical health plan prepared by the Agencies.

The 2014 SBC Template updates the 2013 SBC Template and Sample Completed Template to add information the Agencies believe individuals eligible for Health Plan coverage should know in light of the impending implementation of the individual shared responsibility requirements of Internal Revenue Code (Code) Section 5000A and the employer shared responsibility rules of Code Section 4980H commonly called ACA’s “pay-or-play” rules.   These were the “penalty” provisions that the Supreme Court ruled are taxes in 2013.

The April 23, 2013 FAQ expressly requires that SBCs for periods of coverage after December 31, 2013 disclose if the Health Plans provide MEC and Minimum Value to enable participants and beneficiaries to understand if enrollment in the Health Plan will suffice to allow the employee to avoid paying the individual penalty under Code Section 5000(a)’s individual “shared responsibility” rules, to compare the coverage and costs to enroll in the employer’s Health Plan versus to enroll in health care coverage through a Marketplace and to predict how their eligibility for enrollment in the employer’s Health Plan will impact their eligibility to qualify to claim tax credits under Code Section 32G to help subsidize the cost to purchase coverage through a Marketplace.

Code Section 5000A generally imposes a penalty tax on individuals that fail to maintain enrollment in MEC within the meaning of Code Section 5000A(f) and not otherwise exempt under Code Section 5000A(d).  As of the publication of this update, the Obama Administration has not announced any delay in the enforcement of this penalty against individuals, but legislation is pending in Congress that would delay its applicability, along with approving the delay of enforcement of the Code Section 4980H penalties previously announced by the Obama Administration.

Although the Obama Administration announced in early July, 2013 that it will not enforce collection of the Code Section 4980H provisions against employers until 2015, Code Section 4980H generally requires employers of 50 or more full-time employees to pay a penalty if the employer fails to offer a group health plan providing MEC and Minimum Value   Minimum Value is determined for this purpose in the same manner that it is determined for purposes of making the required disclosure in the Exchange Notice.

60-Day Advance Notice of Material Changes Requirement

In addition to providing the required Exchange Notice and SBCs, employers, group health plans and their plan administrators also must ensure that participants and beneficiaries are given at least 60 days prior notice before the effective date of any “material reduction in covered services or benefits.” See 29

CFR Section 2520.104b-3(d)(3); also see 29 CFR Section 2520.104b-3(d)(2) regarding a 90-day alternative rule.

Section 102 of ERISA has been amended to require 60-day advance notice of material plan changes for plan years beginning on or after September 23, 2012 before the change can be effective.  The 60-day advance notification requirement is a modification to the summary plan description/summary of material modification requirements generally applicable to employee benefit plans under ERISA.

The rule’s definition of “material modification” is the same as the definition in the summary of material modifications rule generally applicable to employee benefit plans under ERISA Section 102.

DOL guidance indicates that group health plans can meet the 60-day advance notice requirement by providing an updated Summary of Benefits and Coverage if the change is reflected on the summary or by sending a separate written notice describing the material modification.

Group health plan issuers or sponsors that willfully (intentionally) fail to provide the notice of material modification can face a fine of up to $1,000 for each failure. Each covered individual equates to a separate offense for purposes of these penalties.

Employer and other group health sponsors, issuers, fiduciaries and administrators also should keep in mind that courts historically refuse to enforce reductions in benefits or services provided under the plan until participants and beneficiaries are notified of the change.  For purposes of the ERISA notification rules, group health plans, their sponsors, insurers, administrators and fiduciaries are cautioned to take into account whether health care providers or other parties who have assignments of benefits should be provided with notification under these or other ERISA rules in addition to the employees and dependents who are enrolled in coverage under the group health plan.

Notice Deadlines Mean Time Short To Adopt & Communicate 2014 Plan Terms

Employer and other health plan sponsors, insurers, administrators and others involved in 2014 group health plan decisions and preparations must take into account these notification deadlines and allow adequate lead time to properly finalize, adopt and communicate their 2014 health plan terms.

Since group health plan design decisions must be finalized to properly prepare the Minimum Value disclosures required in the Exchange Notice and the SBC and any material reductions required by the 60-day advance notice requirement, time running short to finalize 2014 plan designs.

Employer and other plan sponsors, fiduciaries, administrators, and insurers are cautioned that their preparations should ensure both the necessary disclosures are made and that all disclosures are carefully prepared so that the notifications and the plan terms are consistent.

These preparations should include the critical review and coordination of the language of health plan documents and summary plan descriptions in light of these other notifications to identify and address potential differences between the government-mandated terms and language in the Glossary and SBC, the Exchange Notice and 60-day notice and the plan terms and summary plan description.

Arrangements also must include proper structuring and formatting of all of these documents and timely distribution in accordance with applicable regulations to participants and beneficiaries entitled to receive these documents in a manner that positions the employer, the group health plan and its fiduciaries and insurers to show compliance. In regard to distributions, parties planning to distribute notifications electronically need to ensure that any electronic or other methods of distribution meet applicable requirements and that the Health Plans timely send copies to all entitled parties – employees and dependents – in accordance with the applicable rules.

When planning these activities, group health plans, their sponsors, insurers and administrators also generally will want to minimize distribution costs by coordinating distribution of these ACA mandated notices with other notifications required for group health plans about privacy, coverage for newborns and mothers, mental health coverage, post-mastectomy reconstructive surgery and the like.

For Help or More Information

If you need help understanding or dealing with these impending notification requirements, with other 2014 health plan decision-making or preparation, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, HR.com, Insurance Thought Leadership, Solutions Law Press, Inc. and other publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C. 

Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved.

[*] On January 24, 2013, the Department of Labor (the Department) issued guidance stating the Department’s conclusion that the notice requirement under FLSA section 18B will not take effect on March 1, 2013 for several reasons until further guidance setting the extended deadline was published.

Comments Off on Impending 10/1 Exchange Notice & Other New Notice Deadlines Cut Time Short For Employers To Finalize 2014 Health Plan Terms & Contracts | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Health Plan Pays $1.2M+ HIPAA Settlement For Not Protecting PHI On Copiers

August 15, 2013

Affinity Health Plan, Inc. (Affinity) will pay $1,215,780 and take other corrective actions to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules under the Affinity Resolution Agreement and CAP (Affinity Settlement) with the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR).  The settlement comes as the September 24, 2013 deadline for health plans, health care providers, health care clearinghouses (Covered Entities) and their business associates to update the written business associate agreements that HIPAA requires exist before business associates can be allowed to create, use, access or disclose personally identifiable health care information protected by HIPAA (PHI) to carry out HIPAA-covered functions on behalf of a Covered Entity to comply with changes to HIPAA’s implementing regulations adopted by OCR earlier this year.  Health plans and other Covered Entities should take timely action to confirm that their existing procedures appropriate safeguards to protect PHI when using or disposing of copiers or other equipment or media as well as to implement business associate or other policy, procedures or training updates required to comply with the updated HIPAA rules.

HIPAA Updates Require Breach Notification, Tightened Other HIPAA Requirements

HIPAA generally requires that Covered Entities (and after September 24, 2013, their business associates) safeguard and restrict the use, access or disclosure of PHI as required by HIPAA.  The HITECH Act amended these requirements to tighten certain of these requirements and restrictions, to expand the sanctions for violation of these requirements, to require Covered Entities and their business associates to provide notification of breaches of unsecured PHI to individuals whose information was breached, OCR and in some cases, the media, and made certain other changes to the original requirements of HIPAA.  Earlier this year, OCR amended and restated its original Privacy and Security Rules here (2013 Final Rule) to comply with changes in the regulations resulting from these HITECH Act amendments beginning last March, but set the deadline for updating business associate agreements to meet these updated requirements at September 23, 2013.

The 2013 Final Rule and other OCR guidance makes clear that OCR expects Covered Entities and their business associates appropriately to safeguard PHI stored in computers, hard drives, and other digital media until it is properly disposed in accordance with the updated standards required by HIPAA as implemented under the 2013 Final Rule. HITECH Breach Notification Rule requires HIPAA-covered entities to tell HHS of a breach of unsecured protected health information, including breaches resulting from failure to properly secure PHI stored in digital format until it has been destroyed in accordance with the standards established by the 2013 Final Rule.   OCR previously has sanctioned other Covered Entities for failed to properly destroy or safeguard PHI stored in digital format on computer or other equipment before abandoning or disposing of that equipment.  The Affinity Settlement reaffirms OCR’s concern that Covered Entities meet these disposal requirements when replacing or abandoning equipment containing electronic PHI.

Affinity Settlement Highlights

According to the August 14, 2013 OCR announcement of the settlement, the settlement resulted from an investigation initiated after Affinity filed a breach report with OCR on April 15, 2010, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act.)

In its breach report, Affinity indicated that a representative of CBS Evening News told Affinity that, as part of an investigatory report, CBS had purchased a photocopier previously leased by Affinity.  CBS informed Affinity that the copier that Affinity had used contained confidential medical information on the hard drive.

Affinity estimated in its breach report that up to 344,579 individuals may have been affected by this breach. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  In addition, OCR reports its investigation revealed that Affinity failed to incorporate the electronic protected health information (ePHI) stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

In addition to the $1,215,780 payment, the Affinity Settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.

Learn From Affinity Lesson On Proper Disposal Procedures

Like prior OCR settlements stemming from inadequate security for PHI when transitioning equipment, media or facilities, the Affinity Settlement sends another reminder to Covered Entities and their business associates again of the importance of using appropriate procedures to protect or dispose of PHI when replacing or redeploying equipment or media that may contain PHI.

“This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said OCR Director Leon Rodriguez.  “HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”

OCR has published guidance concerning HIPAA’s requirements for the proper safeguarding and disposal of media and equipment in the 2013 Final Rule and other guidance.  Concerning the proper disposition of copiers that may have PHI stored on their hard drives or in other digital formal, OCR in the Affinity Settlement recommended that Covered Entities and their associates also review the Federal Trade Commission’s Guidance On Safeguarding Sensitive Data Stored In The Hard Drives Of Digital Copiers and the National Institute of Standards and Technology has issued Guidance On Assessing The Security Of Multipurpose Office Machines.  Covered Entities and their business associates should use this and other guidance to ensure that they can demonstrate that appropriate practices and procedures have been used to when disposing of or repurposing copies or other equipment that may contain electronic PHI.

HIPAA Regulation Updates Require Other Updates Beyond Disposal Procedures

In addition to addressing the concerns that lead to the Affinity Settlement, Covered Entities and their business associates also should verify that their practices, policies, privacy notices, business associate agreements, and training also are updated to comply with updates to the updated 2013 Final Rule adopted by OCR earlier this year here.

Since passage of the HITECH Act, OCR officials have warned Covered Entities to expect an omnibus restatement of its original regulations.  While OCR had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to  its HIPAA Rules. The 2013 Regulations published today fulfill  that promise by restating OCR’s HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR’s interpretation and enforcement of HIPAA.

In response to the updated Final Regulations and these expanding HIPAA enforcement and exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable.   In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

For Help or More Information

If you need help monitoring or providing input on this legislation or to understand and respond to these or other legislation, laws and regulations, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters including extensive experience on HIPAA and other privacy and data security issues.  Author of numerous prominent publications on HIPAA and other data security and privacy concerns impacting health plans, health care providers, employers, financial services providers and others, Ms. Stamer also serves as the scribe for the ABA JCEB annual Technical Sessions meeting with OCR and has represented numerous health plans, employers, health care providers and others in investigating, redressing, reporting data breach, identity theft and other compliance concerns.

She advises clients on, publishes, and speaks on HIPAA and other health plan, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C.  Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved

Comments Off on Health Plan Pays $1.2M+ HIPAA Settlement For Not Protecting PHI On Copiers | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Report Questions Security As HHS Invites Consumers To Set Up Personal Accounts To Prepare For Exchange Enrollment Period

August 6, 2013

Report Highlights Concerns About Security Of Sensitive Personal Information Americans Will Share With HHS Exchange Portal AS HHS Invites Consumers To Set Up Personal Accounts

The reported finding that the Department of Health & Human Services (HHS) has yet to complete the necessary security arrangements and testing for the web-portal Incomplete security arrangements and testing necessary to ensure the security of personal health and other information shared by consumers on the health insurance exchange Hub that Obamacare charged the HHS Centers for Medicare & Medicaid Services (CMS)  with creating under Obama Care raises concerns about whether these security issues might undermine the security of the sensitive personal information that a consumer might share now or in the future when exploring or enrolling in health coverage options offered through the health insurance exchange.

On Monday, August 5, 2013, HHS sought to beef up interest and anticipation among Americans for the new health insurance exchange option by inviting consumers to prepare for the upcoming enrollment period scheduled to begin October 1, 2013 by creating their personal accounts on HHS’ Healthcare.gov website now.

HHS began encouraging Americans to the HHS website “healthcare.gov” to open a personal account, the first step to buying coverage through one of the health insurance exchanges that HHS is creating under the Patient Protection & Affordable Care Act reforms.  See Consumers Can Take First Step To Enrolling In New Insurance Options Today.  HHS is encouraging Americans to prepare for enrollment today by setting up their personal account on the HHS Website, Healthcare.gov.  A HHS Twitter Tweet yesterday announced , “Today you can be 1 step closer to getting health ins. by creating your Marketplace account:.” The Healthcare.gov website main page now invites Americans to “[a]nswer a few questions to get some personalized info here.”

Unfortunately, HHS kicked off this campaign on the same day that the HHS’s Office of Inspector General (OIG) released a report titled Observations Noted During The OIG Review Of CMS’s Implementation Of The Health Insurance Exchange—Data Services Hub (Report) that raises questions about the adequacy of the current security of the data portal and whether HHS will complete the arrangements and testing to verify it appropriately safeguards the security of the sensitive personal information that consumers will share there when the enrollment period begins and thereafter.

Data shared by Americans as part of the process of exploring and enrolling in coverage through the health insurance exchanges will be collected and shared through a data security Hub that will host and transmit that data.  The OIG Report raises clear concerns about the existing security arrangements that CMS has implemented to protect that data, as well as questions about whether CMS will complete the necessary arrangements to secure and protect that sensitive data before enrollment begins October 1.

The findings reported by OIG in the Report raise significant questions about whether Americans should accept the HHS invitation to establish their personal accounts now in anticipation of the October 1, 2013 beginning of the  enrollment period for applying for coverage through the health insurance exchanges that would take effect on January 1, 2014.

The Report makes clear that OIG found reason for concern about the Hub security currently and whether these issues will be adequately addressed by the time the enrollment period begins on October 1, 2013.

OIG reports many critical tasks required to implement and test necessary security controls are unfinished.  It states “[S]everal critical tasks remain to be completed in a short period of time, such as the final independent testing of the Hub’s security controls, remediating security vulnerabilities identified during testing, and obtaining the security authorization decision for the Hub before opening the exchanges. CMS’s current schedule is to complete all of its tasks by October 1, 2013, in time for the expected initial open enrollment period.”

While acknowledging that CMS has affirmed its commitment to complete and implement the necessary security arrangements before enrollment begins on October 1, 2013, the OIG Report also notes that CMS already has missed several critical target dates in its efforts to implement the required security measures.

The Report additionally states: “CMS is working with very tight deadlines to ensure that security measures for the Hub are assessed, tested, and implemented by the expected initial open enrollment date of October 1, 2013. If there are additional delays in completing the security assessment and testing, the CMS CIO may have limited information on the security risks and controls when granting the security authorization of the Hub.” (emphasis added).

The security concerns highlighted in the Report should raise questions about the adequacy of the security of information that an individual might enter on the Healthcare.gov portal in response to the invitation of HHS extended beginning yesterday. 

The importance of the security concerns raised in the reports becomes evident when one considers that consumers establishing their personal accounts must “Choose  your user name and password; Create security questions to add an extra layer of protecting your information.”   While many may be temped to discount the significance of the security concerns because the information that HHS currently asks individuals to share when they create their personal accounts appears relatively harmless, it merits noting that the creation of the login and security password that will be used to control access to the personal account of registrants are among those initial elements. To the extent security deficiencies compromise the security of this information, these security deficiencies could undermine the security of the personal accounts and all of the information they contain.

The Report does not make clear whether the security issues identified in the Report could compromise logon and password security of the personal accounts established by consumers now or in the future. However, it bears noting that securing the logon and passwords used to access electronic resources containing sensitive personal health care information and establishing other appropriate safeguards to protect the security of personal health information is one of the key responsibilities that  the Health Insurance Portability & Accountability Act (HIPAA) Security Rules require health plans, health care providers, health care clearinghouses and their business associates to protect and secure.  Failure to implement and administer appropriate safeguards for logons and passwords could compromise all the sensitive data in the personal account now or in the future.   Until questions about the security issues and their implications on the logon, password and other information associated with personal accounts are established,  Americans concerned about the security of their personal information may want to hold off entering data in response to the HHS’s invitation.  Additionally, Americans concerned about these and other security issues also may want to share their feedback with HHS and members of Congress.

Are you concerned about whether health care reform preparations are on track or have other health care policy concerns. Tell us what you think by responding to our poll. 

Join the discussion about health care reform and share your input by joining Project COPE: Coalition for Patient Empowerment here.

About Project COPE: The Coalition On Patient Empowerment & Its  Coalition on Responsible Health Policy

Sharing and promoting the use of practical practices, tools, information and ideas that patients and their families, health care providers, employers, health plans, communities and policymakers can share and offer to help patients, their families and others in their care communities to understand and work together to better help the patients, their family and their professional and private care community plan for and manage these  needs is the purpose of Project COPE, The Coalition on Patient Empowerment & It’s Affiliate, the Coalition on Responsible Health Policy.

The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans.  The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch.  Americans can best improve health care by not waiting for someone else to step up:  Step up and help bridge the gap when you or your organization can. Speak up to help communicate and facilitate when you can.  Building health care neighborhoods filled with good neighbors throughout the community is the key.

The outcome of this latest health care reform push is only a small part of a continuing process.  Whether or not the Affordable Care Act makes financing care better or worse, the same challenges exist.  The real meaning of the enacted reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye.  Americans individually and collectively clearly should monitor and continue to provide input through this critical time to help shape constructive rather than obstructive policy. Regardless of how the policy ultimately evolves, however, Americans, American businesses, and American communities still will need to roll up their sleeves and work to deal with the realities of dealing with ill, aging and disabled people and their families.  While the reimbursement and coverage map will change and new government mandates will confine providers, payers and patients, the practical needs and challenges of patients and families will be the same and confusion about the new configuration will create new challenges as patients, providers and payers work through the changes.

We also encourage you and others to help develop real meaningful improvements by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. The Coalition For Responsible Health Care Policy provides a resource that concerned Americans can use to share, monitor and discuss the Health Care Reform law and other health care, insurance and related laws, regulations, policies and practices and options for promoting access to quality, affordable healthcare through the design, administration and enforcement of these regulations.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here .  You also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Recent examples of these publications include:

For important information about this communication click here.

©2013 Cynthia Marcotte Stamer.  Nonexclusive right to republish granted to Solutions Law Press, Inc. All other rights reserved.

 

Comments Off on Report Questions Security As HHS Invites Consumers To Set Up Personal Accounts To Prepare For Exchange Enrollment Period | Employee Benefits, Employers, Health Plans, HIPAA, Human Resources, Patient Protection and Affordable Care Act | Tagged: , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

HHS Continues Preparations For New Health Insurance Marketplace By Awarding Grants To Promote Kids Enrollment

July 2, 2013

As part of its continuing efforts to promote enrollment in the Health Insurance Marketplace slated to take effect January 1, 2014, the Department of Health and Human Services (HHS) today (July 2, 2013) announced the award of nearly $32 million in grants for efforts to identify and enroll children eligible for Medicaid and the Children’s Health Insurance Program (CHIP). The Connecting Kids to Coverage Outreach and Enrollment Grants were awarded to 41 state agencies, community health centers, school-based organizations and non-profit groups in 22 states; two grantees are multistate organizations.  The announcement comes as employers and others continue to express concern about the sufficiency of preparations and HHS’ recent rollout of online tools to aid consumers enroll in the new Health Care Marketplace scheduled to launch January 1, 2014 as part of the continuing implementation of reforms enacted as part of the Patient Protection & Affordable Care Act (Affordable Care Act).

Announced Grants Target Increased CHIP & Medicaid Enrollment In Preparation For Health Care Marketplace

In amounts ranging from $190,000 to $1 million out of the $140 million included in the Affordable Care Act and the Children’s Health Insurance Program Reauthorization Act (CHIPRA) of 2009 for enrollment and renewal outreach,  HHS Reports the grants awarded to the grantees listed here focus on 5 areas:

  • Engaging schools in outreach, enrollment and retention activities (9 awards);
  • Reducing health coverage disparities by reaching out to subgroups of children that are less likely to have health coverage (8 awards);
  • Streamlining enrollment for individuals participating in other public benefit programs such as nutritional or other assistance programs (3 awards);
  • Improving application assistance resources to provide high quality, reliable Medicaid and CHIP enrollment and renewal services in local communities (13 awards); and
  • Training communities to help families understand the new application and enrollment system and to deliver effective assistance to families with children eligible for Medicaid or CHIP (8 awards).

According to HHS, the grants will build on the Secretary’s Connecting Kids to Coverage Challenge to find and enroll all eligible children and support outreach strategies that have been shown to be successful.

According to HHS, Connecting Kids to Coverage Outreach and Enrollment Grant Awards (Cycle III) Efforts to streamline Medicaid and CHIP enrollment and renewal practices, combined with robust outreach activities, have helped reduce the number of uninsured children.  Since 2008,  HHS claims 1.7 million children have gained coverage and the rate of uninsured children has dropped to 6.6 percent in 2012

“Today’s grants will ensure that more children across the nation have access to the quality health care they need,” said Secretary Sebelius. “We are drawing from successful children’s health coverage outreach and enrollment efforts to help promote enrollment this fall in Medicaid and the new Health Insurance Marketplace.”

Continuing Preparations For New Health Care Marketplace

 The grant awards are part of a much broader effort by HHS to prepare Americans to enroll in the newly reformed Health Insurance Marketplace that the Obama Administration is working to implement as part of the sweeping reforms enacted by the Affordable Care Act.

Enrollment is the Health Insurance Exchanges also to be included in the new federal health care marketplace is scheduled to begin October 1, 2013.  In anticipation of this deadline, HHS recently also announced its rollout of new consumer health care education and decision-making tools on its newly designed www.healthcare.gov  website.

In announcing its launch of its Health Insurance Marketplace educational tools here on June 24, 2013, the Department of Health & Human Services (HHS) repeated recent claims that HHS and the states are on target to begin enrollment on October 1, 2013 in the federal and state health care exchanges now retitled “Health Insurance Marketplace” by the Administration, to meet other key milestones and to the beginning coverage under the newly created Health Insurance Marketplaces beginning January 1, 2014.

As part of these preparations, HHS kicked off an aggressive Health Insurance Marketplace education effort by announcing the deploying of with newly designed “consumer-focused” HealthCare.gov website and the 24-hours-a-day consumer call center that HHS claims provide all the necessary tools to prepare Americans for open enrollment and ultimately sign up for private health insurance.

While HHS says its tools and other preparations will get the Health Care Marketplaces and Americans ready for the conversion of the U.S. health care system slated to begin January 1, 2014, others are less confident.  For instance, GAO officials recently found that major work that federal and state officials  must complete to timely begin enrollment by October 1 remains unfinished, making it unclear if they will meet the impending October 1, 2013 enrollment kickoff deadline.  See GAO Report and  GAO Report.

Meanwhile, employers of 50 or more full-time employees and others also have complained that delayed and incomplete guidance has prevented them from understanding their obligations and moving to complete preparations to comply with the new employer mandates by delaying private market reforms and employer preparations.  These problems have been further complicated by recent media coverage and public debate about the access to sensitive personal health care, financial information and the role of the Internal Revenue Service and other government agencies under the Affordable Care Act following recent charges that certain Internal Revenue Service officials improperly targeted certain charitable organization and their organizers as part of application approval and audits.

Despite these concerns, HHS is marching ahead on its efforts to implement the law by launching these and other enrollment and educational outreach.

For Help or More Information

If you need help with preparing these or other Affordable Care Act compliance or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters including extensive experience on HIPAA and other privacy and data security issues.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C.  Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved

Comments Off on HHS Continues Preparations For New Health Insurance Marketplace By Awarding Grants To Promote Kids Enrollment | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

HHS Touts Enrollment Tools, Says Exchange Enrollment Ready Despite GAO Concerns

June 26, 2013

Despite growing concerns expressed by the General Accounting Office (GAO) and others about arrangements and the need for added funding to prepare for the massive conversion in the U.S. health care system slated to take effect January 1, 2014 under the Patient Protection & Affordable Care Act (“ACA), Obama Administration officials are continuing to claim readiness to begin enrollment of Americans In federal health care marketplace on schedule on October 1, 2013 and to meet other crucial deadlines necessary to effectively implement the next wave of ACA’s health care reforms in the Department of Health & Human Service’s rollout of new consumer health care education and decision-making tools on its newly designed healthcare.gov website.

In announcing its launch of its Health Insurance Marketplace educational tools here on June 24, 2013, the Department of Health & Human Services (HHS) repeated recent claims that HHS and the states are on target to begin enrollment on October 1, 2013 in the federal and state health care exchanges now retitled “Health Insurance Marketplace” by the Administration, to meet other key milestones and to the beginning coverage under the newly created Health Insurance Marketplaces beginning January 1, 2014.

As part of these preparations, HHS kicked off an aggressive Health Insurance Marketplace education effort by announcing the deploying of with newly designed “consumer-focused” HealthCare.gov website and the 24-hours-a-day consumer call center that HHS claims provide all the necessary tools to prepare Americans for open enrollment and ultimately sign up for private health insurance.

According to HHS, “The new tools will help Americans understand their choices and select the coverage that best suits their needs when open enrollment in the new Health Insurance Marketplace begins October 1.”

According to Centers for Medicare & Medicaid Services Administrator Marilyn Tavenner, “In October, HealthCare.gov will be the online destination for consumers to compare and enroll in affordable, qualified health plans.”

Between now and the start of open enrollment, HHS says the Marketplace call center will provide educational information and, beginning Oct. 1, 2013, will help consumers with application completion and plan choice.  In addition to English and Spanish, the call center provides assistance in more than 150 languages through an interpretation and translation service.  Customer service representatives are available for assistance via a toll-free number at 1-800-318-2596 and hearing impaired callers using TTY/TDD technology can dial 1-855-889-4325 for assistance.

While HHS says its tools and other preparations will get the Health Care Marketplaces and Americans ready for the conversion of the U.S. health care system slated to begin January 1, 2014, others are less confident.  For instance, GAO officials recently found that major work that federal and state officials  must complete to timely begin enrollment by October 1 remains unfinished, making it unclear if they will meet the impending October 1, 2013 enrollment kickoff deadline.  See GAO Report and  GAO Report such as::

  • 17 states committed to run their own exchanges have missed March 2013 deadlines on 44% of key activities;
  • Officials creating the small business exchanges still must review plans and train and certify the “navigators” that are supposed to help companies and individuals enroll in plans and complete other key arrangements;
  • A federal  the “data hub” designed to help individuals determine their eligibility and enroll in plans offered through the exchanges has only  undergone initial testing; and
  • The current planned process for coordination of data between employer and insurer plans and the health care exchanges to evaluate eligibility of the millions of Americans expected to apply for subsidies for enrolling in coverage through the exchange presently is for HHS to contact employers by telephone employers to ask if that employer asked that employee enrollee minimum essential coverage providing minimum essential value at an affordable cost that would disqualify the applicant for the subsidy.

Meanwhile, the GAO Reports also provide a glimpse at what the federal government has spent so far on preparing the federal exchanges and the data hub. They indicate that hat the Obama Administration had approximately $394 million on exchange efforts as of March 2013 including:

  • $84 million to CGI Federal, which is building the federal exchange computer infrastructure;
  • $55 million to Quality Software Services, which is building the data hub; and
  • $38 million to Booz Allen Hamilton to provide technical assistance for enrollment and eligibility.

Contractor Booz Allen Hamilton recently has drawn attention as the National Security Association contractor through which the notorious fugitive Edward Snowden allegedly accessed information he disclosed to the public about NSA surveillance of “big data” on Americans and others through the internet.

The GAO also estimated the Obama administration needs Congress to approve an extra $1.5 billion from the budget to provide the Administration with the additional $2 billion that the GAO projects the Administration will need over the next fiscal year to create and operate the federal exchanges.  Existing budget concerns make it unlikely that Congress will approve these extra funds.

 

For Help or More Information

If you need help with preparing these or other ACA compliance or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters including extensive experience on HIPAA and other privacy and data security issues.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C.  Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved

Comments Off on HHS Touts Enrollment Tools, Says Exchange Enrollment Ready Despite GAO Concerns | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA Sanctions Triggered From Covered Entity Statements To Media, Workforce

June 14, 2013

Health plans, health care providers, health care clearinghouses (covered entities) and their business associates should confirm their existing policies, practices and training for communicating with the media and others comply with the Privacy Rule requirements of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in light of a Resolution Agreement with Shasta Regional Medical Center (SRMC) announced by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights today (June 14, 2013).

Under the Resolution Agreement, SRMC agrees to pay $275,000 and implement a comprehensive corrective action plan (CAP) to settle an investigation that resulted when SRMC used and disclosed protected health information (PHI) of a patient to members of the media and its workforce while trying to do damage control against fraud or other allegations of misconduct involving individual patient information or circumstances.  The Resolution Agreement shows how efforts to respond to press or media reports, patient or other complaints, physician or employee disputes, high profile accidents, or other events that may involve communications not typically run by privacy officers can create big exposures.  While the Resolution Agreement targets a health care provider, the lessons are equally applicable to health plans and health care clearinghouses, who increasingly face their own pressure to communicate with the media and others about enforcement actions, workforce claims and other matters.

Talking Out Of Turn To Media & Others Violated HIPAA

OCR investigated SRMC after a January 4, 2012 Los Angeles Times article reported two SRMC senior leaders had met with media to discuss medical services provided to a patient.  OCR’s investigation indicated that SRMC failed to safeguard the patient’s protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR’s review also revealed senior management at SRMC impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce.  Further, SRMC failed to sanction its workforce members for impermissibly disclosing the patient’s records pursuant to its internal sanctions policy.

Among other things, the specific misconduct uncovered by HHS’s investigation indicated that from December 13 – 20, 2011, SRMC failed to safeguard the patient’s PHI from any impermissible intentional or unintentional disclosure on multiple occasions in connection with its response to media coverage arising from a Medicare fraud story including:

  • On December 13, 2011, for instance, OCR reports SRMC’s parent company sent a letter to California Watch, responding to a story about Medicare fraud. The letter described  the patient’s medical treatment and provided specifics about her lab results even though SRMC did not have a written authorization from  the patient to disclose this information to this news outlet.
  • On December 16, 2011, two of SRMC’s senior leaders also met with The Record Searchlight’s editor to discuss the patient’s medical record in detail even though SRMC did not have a written authorization from  the patient to disclose this information to this newspaper.
  • On December 20, 2011, SRMC sent a letter to The Los Angeles Times, which contained detailed information about the treatment  the patient received when, again, SRMC did not have a written authorization from  the patient to disclose this information to this newspaper.

In addition, OCR found SRMC impermissibly used the affected party’s PHI  when on December 20, 2011, SRMC sent an email to its entire workforce and medical staff, approximately 785-900 individuals, describing, in detail,  the patient’s medical condition, diagnosis and treatment. SRMC did not have a written authorization from  the patient to share this information with SRMC’s entire workforce and medical staff.

SRMC Must Correct & Pay $$275K Penalty

Under the Resolution Agreement, SRMC pays a $275,000 monetary settlement and agrees to comply with a CAP for the next year.

The CAP requires SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members.  The CAP also requires fifteen other hospitals or medical centers under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.

The Resolution Agreement specifically requires that Shasta Regional Medical Center, among other things:

  • To update policies to include specific policies about sharing PHI with the media, members of the workforce not involved in an individual patient’s care and others to comply with HIPAA;.
  • To provide updated policies to OCR for approval;
  • To provide training documented with certification of all workforce members before allowing them to get access to PHI;

SRMC is one of several Prime Healthcare Services facilities under common ownership and control.  The Resolution Agreement also requires corrective action at these commonly owned facilities including California-based Alvarado Hospital Medical Center in San Diego, Centinela Hospital Medical Center in Inglewood, Chino Valley Medical Center in Chino, Desert Valley Hospital in Victorville, Garden Grove Hospital Medical Center in Garden Grove,  La Palma Intercommunity Hospital in La Palma, Paradise Valley Hospital in National City, San Dimas Community Hospital in San Dimas, Shasta Regional Medical Center in Redding, and West Anaheim Medical Center in Anaheim; Saint Mary’s Regional Medical Center in Reno, Nevada; Pennsylvania based Lower Bucks Hospital in Bristol and Roxborough Memorial Hospital in Philadelphia;and Texas-based Dallas Medical Center in Dallas, Harlingen Medical Center in Harlingen, Pampa Regional Medical Center in Pampa.  Among other things, the Resolution Agreement requires that for each of these related facilities:

  • The CEO and Privacy Officer of each facility must give OCR a signed affidavit stating that they understand that the Privacy Rule protects an individual’s PHI is protected by Privacy Rule even if such information is already in the public domain or even though it has been disclosed by the individual; and that disclosures of PHI in response to media inquiries are only permissible pursuant to a signed HIPAA authorization; and
  • Ensure all members of their respective workforce are informed of this policy.

The Resolution Agreement highlights the difficulty that health care providers and other covered entities often face in properly recognizing and handling PHI in the case of fraud or other disputes.  While health care providers have an understandable wish to defend themselves in the media and elsewhere in response to charges of misconduct, today’s settlement shows that improperly sharing PHI of each patient in the process will make matters much worse. It’s important to keep in mind that just omitting to mention the name or other common identifying information may not overcome this concern because information about a patient can be considered individually identifiable and to enjoy protection under HIPAA where the facts and circumstances would allow another person to know or determine who the individual is, even if the specific name, address or more common identifying information is not shared.

Furthermore, the settlement also makes clear that merely because the patient or some other party has shared the same information with the media or others does not excuse the health care provider or other covered entity or business associate from the obligation to keep confidential the PHI unless it gets proper consent or otherwise can show that an exception to HIPAA applies.

Finally, the Resolution Agreement also makes clear that OCR expects covered entities to connect their HIPAA compliance with other policies and operations and will hold covered entities and associates accountable for properly integrating, training workforce and enforcing compliance with these policies.  While this  means that covered entities and business associates may find themselves in the uncomfortable situation of facing unsavory reports and rumors without the ability to respond, the significant civil and even criminal penalties that can arise from violation of HIPAA make it critical that covered entities exercise discipline in responding to avoid sharing PHI improperly.

The 2013 Regulations Overview

Adding a review and update of HIPAA and other policies for communicating with the media and internally on matters that may involve use or discussions of PHI in unusual contexts outside the purview of typically HIPAA policies is a good idea while health plans and other covered entities and business associates are updating their existing policies and practices for compliance with updated Omnibus HIPAA Rules (2013 Regulations) implementing HITECH Act amendments to the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Rulemaking announced January 17, 2013 may be viewed here.

Since 2003, HIPAA generally has required that health care providers, health plans, health care clearinghouses and their business associates (“Covered Entities”) restrict and safeguard individually identifiable  health care information (“PHI”) of individuals and afford other protections to individuals that are the subject of that information.  The 2013 Regulations published today complete the implementation of changes to HIPAA that Congress enacted when it passed the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 as well as make other changes to the prior regulations that OCR found desirable based on its experience administering and enforcing the law over the past decade.

Since passage of the HITECH Act, OCR officials have warned Covered Entities to expect an omnibus restatement of its original regulations.  While OCR had issued certain regulations implementing some of the HITECH Act changes, it waited to publish certain regulations necessary to implement other HITECH Act changes until it could complete a more comprehensive restatement of its previously published HIPAA regulations to reflect both the HITECH Act amendments and other refinements to  its HIPAA Rules. The 2013 Regulations published today fulfill  that promise by restating OCR’s HIPAA Regulations to reflect the HITECH Act Amendments and other changes and clarifications to OCR’s interpretation and enforcement of HIPAA.

Among other things, the 2013 Regulations:

  • Revise OCR’s HIPAA regulations to reflect the HITECH Act’s amendment of HIPAA to add the contractors and subcontractors of health plans, health care providers and health care clearinghouses that qualify as business associates to the parties directly responsible for complying with and subject to HIPAA’s civil and criminal penalties for violating HIPAA’s Privacy, Security, and Breach Notification rules;
  • Update previous interim regulations implementing HITECH Act breach notification rules that require Covered Entities including business associates to give specific notifications to individuals whose PHI is breached, HHS and in some cases, the media when a breach of unsecured information happens;
  • Update interim enforcement guidance OCR previously published to implement increased penalties and other changes to HIPAA’s civil and criminal sanctions enacted by the HITECH Act;
  • Implement HITECH Act amendments to HIPAA that tighten the conditions under which Covered Entities are allowed to use or disclose PHI for marketing and fundraising purposes and prohibit Covered Entities from selling an individual’s health information without getting the individual’s authorization in the way required by the 2013 Regulations;
  • Update OCR’s rules about the rights that HIPAA requires that Covered Entities to afford to individuals who are the subject of PHI used or possessed by a Covered Entity to reflect tightened requirements enacted by the HITECH Act  that allow individuals to order their health care provider not to share information about their treatment with health plans when the individual pays cash for the care and to clarify that individuals can require Covered Entities to provide electronic PHI in electronic form;
  • Revise the regulations to reflect amendments to HIPAA made as part of the Genetic Information Nondiscrimination Act of 2008 (GINA) which added genetic information to the definition of PHI protected under the HIPAA Privacy Rule and prohibits health plans from using or disclosing genetic information for underwriting purposes; and
  • Clarifies and revises other provisions to reflect other interpretations and information guidance that OCR has issued since HIPAA was passed and to make certain other changes that OCR found appropriate based on its experience administering and enforcing the rules.

Liability & Enforcement Risks Heighten Need To Act To Review & Update Policies & Practices

The new Resolution Agreement and the growing list of others like it, as well as restated rules in the 2013 Regulations make it imperative that Covered Entities review the revised rules carefully and updated their policies, practices, business associate agreements, training and documentation to comply with the updated requirements and other enforcement and liability risks.  OCR even prior to the regulations has aggressively investigated and enforced the HIPAA requirements.

OCR increasingly is imposing  sanctions against a covered entity for data breaches to show the potential risks of HIPAA violations are significant and growing.  OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach; OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks$1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website; Providence To Pay $100000 & Implement Other Safeguards.

In response to the 2013 Regulations and these expanding exposures, all Covered Entities should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses; and other developments to decide if additional steps are necessary or advisable.   In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to decide if tightening their policies, practices, documentation or training is necessary or advisable.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The SRMC Resolution Agreement again shows the growing risk of enforcement that health care providers, health plans, health care clearinghouses and their business associates face as OCR continues its audits and enforcement, new Omnibus HIPAA Regulations implementing the HITECH Act amendments to HIPAA and state and federal liability grows..  See e.g., $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

As part of this process, covered entities should ensure they look outside the four corners of their Privacy Policies to ensure that appropriate training and clarification is provided to address media, practice transition, workforce communication and other policies and practices that may be covered by pre-existing or other policies of other departments or operational elements not typically under the direct oversight and management of the Privacy Officer such as media relations.  Media relations, physician and patients affairs, outside legal counsel, media relations, marketing and other internal and external departments and consultants dealing with the media, the public or other inquiries or disputes should carefully include and coordinate with the privacy officer both to ensure appropriate policies and procedures are followed and proper documentation created and retained to show authorization, account, or meet other requirements.

For more information about HIPAA compliance and risk management tips, see here.

For Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

If you need help with HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other human resources, employee benefit, or other compliance, risk management, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Nationally recognized for her extensive work, publications and leadership on HIPAA and other privacy and data security concerns, Ms. Stamer has extensive experience representing, advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical and other privacy and data security, employment, employee benefits, and to handle other compliance and risk management policies and practices; to investigate and respond to OCR and other enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

A Fellow in the American College of Employee Benefit Counsel, State Bar of Texas and American Bar Association, Vice President of the North Texas Health Care Compliance Professionals Association, the Former Chair of the ABA RPTE Employee Benefit & Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Council Representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer serves as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR. Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights  on HIPAA and other data privacy and security concerns appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the third year will serve in 2013 as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance often appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

In addition to this extensive HIPAA specific experience, Ms. Stamer also is recognized for her experience and skill aiding clients with a diverse range of other employment, employee benefits, health and safety, public policy, and other compliance and risk management concerns.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a member of the Editorial Advisory Board and expert panels of HR.com, Employee Benefit News, InsuranceThoughtLeadership.com, and Solutions Law Press, Inc., management attorney and consultant Ms. Stamer has 25 years of experience helping employers; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit  and management policies and practices.   Ms. Stamer often has worked, extensively on these and other workforce and performance related matters.  In addition to her continuous day-to-day involvement helping businesses to manage employment and employee benefit plan concerns, she also has extensive public policy and regulatory experience with these and other matters domestically and internationally.  A former member of the Executive Committee of the Texas Association of Business and past Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, Ms. Stamer served as a primary advisor to the Government of Bolivia on its pension privatization law, and has been intimately involved in federal, state, and international workforce, health care, pension and social security, tax, education, immigration, education and other legislative and regulatory reform in the US and abroad.  She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For more information about Ms. Stamer and her experience or to get access to other publications by Ms. Stamer see here or contact Ms. Stamer directly.

For help  with these or other compliance concerns, to ask about compliance audit or training, or for legal representation on these or other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here

About Solutions Law Press, Inc.

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested in exploring other Solutions Law Press, Inc. ™ tools, products, training and other resources here and reading some of our other Solutions Law Press, Inc.™ human resources news here including the following:

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press, Inc.™  All other rights reserved.

Comments Off on HIPAA Sanctions Triggered From Covered Entity Statements To Media, Workforce | Corporate Compliance, Employers, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Risk Management, Whistleblower | Tagged: , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Final Regulations Update HIPAA Health Plan Wellness Program Rules

May 30, 2013

Register Now For 6/4 Solutions Law Press, Inc. Virtual Briefing

Employer, union and sponsors of employment-based group health plans that include health risk assessment (HRA) or other wellness plan features that reward participants for engaging in certain assessments or other activities designed to promote wellness or disease management, and fiduciaries insurers, and administrators  of these health plans should review and update their programs in light of final wellness program rules jointly published by the Department of Health and Human Services (HHS), Department of Labor Employee Benefit Security Administration (EBSA) and the Department of Treasury (collectively the “Agencies”) today (May 29, 2013) here (Wellness Regulations).

While these final Wellness Regulations implementation of changes to the “bona fide wellness program exception” to nondiscrimination rules contained in the Portability Rules of the Health Insurance Portability & Accountability Act (HIPAA) as amended by the Patient Protection and Affordable Care Act (ACA) allow group health plans to provide bigger rewards to members for cooperating in wellness activities required under a “bona wellness program” within the meaning of the Wellness Regulations, the Wellness Regulations and other federal rules still need care to design and administer these health plan features meet all applicable Wellness Regulations for qualification as a “bona fide wellness program while also safeguarding the use of “personal health information” and “genetic health information in accordance with the privacy rules of HIPAA as amended by the Genetic Information Nondiscrimination Act (GINA) managing potential employment disability discrimination exposures under the Equal Employment Opportunity Commission’s (EEOC’s) current interpretation of the employment discrimination rules of Americans With Disabilities Act (ADA) and GINA.

Wellness Rules Implement ACA Changes To HIPAA “Bona Fide Wellness Program Rules

The nondiscrimination prohibitions of the Health Insurance Portability & Accountability Act (HIPAA), as amended by the Genetic Information Nondiscrimination Act (GINA) and the Patient Protection and Affordable Care Act (ACA) generally prohibit health plans from discriminating against an individual based on eligibility or premium based on a health factor.  Wellness or disease management programs that vary premiums or contributions, cost-sharing or other benefit mechanisms, or provide other rewards or inducements can run afoul of this HIPAA nondiscrimination prohibition if not properly designed and administered to fall within the “bona fide wellness program” exception.

The Wellness Regulations as finalized continue to interpret HIPAA’s general prohibition against group health plan provisions that discriminate based on a health factor to prohibit group health plans to vary benefits (including cost-sharing mechanisms) or the premium or contribution for similarly situated individuals when wellness program that satisfies the requirements of the Wellness Regulations for a “bona fide wellness program

The Affordable Care Act generally increased the maximum permissible reward under a health-contingent wellness program from 20 percent to 30 percent of the cost of health coverage for qualifying bona fide wellness programs and to as much as 50 percent of the cost of health coverage for bona fide wellness programs designed to prevent or reduce tobacco use.  In keeping with these ACA amendments to HIPAA, the Wellness Regulations allow group health plans and insurers to offer these greater rewards as long as the wellness program otherwise meets the conditions that the Wellness Regulations set for qualification as a bona fide wellness program.

In order to offer these incentives, however, the Wellness Regulations make clear that group health plans, their insurers and fiduciaries still need to tread carefully to properly design and administer these arrangements to ensure that their wellness program meet the applicable conditions of the Wellness Regulations for qualification as a bona fide wellness program.

In keeping with the approach announced in proposed regulations the Agencies previously published here last Fall, the Wellness Regulations have different requirements for “participatory wellness programs” versus “health contingent wellness programs.”

  • “Participatory wellness programs” generally are programs that reward plan members for participating in wellness activities based on participation in specified activities without regard to an individual’s health status. These include programs that reimburse for the cost of membership in a fitness center; that provide a reward to employees for attending a monthly, no-cost health education seminar; or that reward employees who complete a health risk assessment, without requiring them to take further action
  • “Health-contingent wellness programs” generally are programs where individuals must meet a specific standard related to their health to qualify for the specified reward or avoid a specified penalty. Examples of health-contingent wellness programs include programs that provide a reward to those who do not use, or decrease their use of, tobacco, or programs that reward those who achieve a specified health-related goal, such as a specified cholesterol level, weight, or body mass index, as well as those who fail to meet such goals but take certain other healthy actions.

Group health plan sponsors, fiduciaries, insurers and administrators should use care to properly understand which type of program or programs their group health plans contain and ensure that their programs are properly designed and administered to meet these conditions.  While fulfillment of these requirements can allow the arrangement to avoid violation of HIPAA’s nondiscrimination rules, however, it is important also to ensure that other applicable federal requirements for the use of these arrangements also are fulfilled along with these HIPAA nondiscrimination requirements.

Meeting Other Federal Rules For Wellness Programs Also Important

In addition to fulfilling the Wellness Regulations, health plans, their sponsors, fiduciaries, insurers and administrators also need to ensure that any wellness program included in a group health plan also meets other federal rules about the protection of sensitive personal health information and genetic health information and do not violate the employment discrimination rules of the ADA and GINA

  • Update Privacy Compliance

.Since wellness programs generally inherently involve some collection, use, access or disclosure of “protected health information” within the meaning of the Privacy Rules of HIPAA, it is particularly important to review and tighten plan provisions and other documentation, processes, procedures, and training to reduce the risk of violating HIPAA. A review of the adequacy of these arrangements is made particularly important in light of recent changes to in the implementing regulations of these HIPAA Privacy Rules adopted earlier this year to implement changes enacted by the HITECH Act.  Among other things, these changes may require updates to the health plan’s definition of personal health care information to clarify that it includes family health information and other “genetic information” that wellness programs often collect. Other updates to plan provisions, privacy policies, vendor agreements or other practices also may be needed to comply with modifications to the HIPAA Privacy Rules on business associates, marketing, breach notification, training or other rules.

  • Manage Disability Discrimination Risks

In addition to ensuring compliance with current requirements about privacy, group health plans, their sponsors, fiduciaries, insurers and vendors also should take steps to minimize potential employment discrimination challenges under the ADA and GINA.

Despite ACA’ amendments to HIPAA’s bona fide wellness program rules and the 11th Circuit’s rejection of an EEOC challenge in Broward County v. Seff, EEOC officials continue to take the position that testing and inquiries about medical conditions made in connection with wellness programs presumptively violate the Americans With Disabilities Act physical testing and other disability discrimination rules as raising concerns about wellness and disease management programs..   See, e.g.EBSA Issues Guidance on Health Plan Wellness & Disease Management Programs Subject to HIPAA Nondiscrimination RulesADAAA Amendment Broader “Disability Definition Not Retroactive, Employer Action Needed To Manage Post 1/1/2009 RisksBusinesses Face Rising Disability Discrimination Enforcement Risks; EEOC Finalizes Updates To Disability Regulations In Response to ADA Amendments Act.

The ADA is not the only employment discrimination risk to manage, however.  In addition to the amendments to the group health plan nondiscrimination and Privacy Rules of HIPAA, GINA’s employment discrimination rules generally prohibit employment discrimination based on “genetic health information.” For instance, GINA’s genetic information nondiscrimination rules:

  • Prohibit employers and employment agencies from discriminating based on genetic information in hiring, termination or referral decisions or in other decisions regarding compensation, terms, conditions or privileges of employment;
  • Prohibit employers and employment agencies from limiting, segregating or classifying employees so as to deny employment opportunities to an employee based on genetic information;
  • Bar labor organizations from excluding, expelling or otherwise discriminating against individuals based on genetic information;
  • Prohibit employers, employment agencies and labor organizations from requesting, requiring or purchasing genetic information of an employee or an employee’s family member except as allowed by GINA to satisfy certification requirements of family and medical leave laws, to monitor the biological effects of toxic substances in the workplace or other conditions specifically allowed by GINA;
  • Prohibit employers, labor organizations and joint labor-management committees from discriminating in any decisions related to admission or employment in training or retraining programs, including apprenticeships based on genetic information;
  • Mandate that in the narrow situations where limited cases where genetic information is obtained by a covered entity, it maintain the information on separate forms in separate medical files, treat the information as a confidential medical record, and not disclosure the genetic information except in those situations specifically allowed by GINA;
  • Prohibit any person from retaliating against an individual for opposing an act or practice made unlawful by GINA; and

EEOC officials have stated publicly on certain occasions and reportedly have challenged health risk assessments or other wellness program features that request or collect family medical history or other genetic information as violating GINA’s employment discrimination rules.

Learn More At 6/4 Solutions Law Briefing

Solutions Law Press, Inc. invites employer and other employment-based group health plan sponsors, fiduciaries insurers, administrators, brokers, consultants and others to learn the key details of new Final Wellness Program regulations jointly published May 29, 2013 by the Departments of Health and Human Services, Labor and Treasury (collectively the “Agencies”) by participating in an informative and timely virtual briefing on “Making Wellness Programs Work Under New Final Tri-Agency Regulations” on June 4, 2013 beginning at Noon Central Time.  To register or for additional details, see here.

For Help or More Information

If you need help with preparing these or other ACA compliance or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters including extensive experience on HIPAA and other privacy and data security issues.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C.  Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved

1 Comment | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Data Security, Disability, EEOC, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, MEWA, Patient Protection and Affordable Care Act, Reporting & Disclosure, Tax, Uncategorized, Wellness Programs | Tagged: , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Register For 6/4 Virtual Briefing On DOL/IRS/HHS Final Group Health Plan Wellness Program Regulations

May 30, 2013

Solutions Law Press, Inc. Invites Employer & Other Group Health Plan Sponsors, Insurers, Administrators, Brokers, Advisors & Consultants to A Virtual Briefing On

Making Wellness Programs Work Under New Tri-Agency Final Wellness Regulations

Tuesday, June 4, 2013

1:00 P.M.-2:00 P.M. Eastern | 12:00 P.M.-1:00 P.M. Central | 11:00 A.M-12:00 P.M. Mountain | 10 A.M-11:00 A.M. Pacific

Register Now!

Solutions Law Press, Inc. invites employer and other employment-based group health plan sponsors, fiduciaries insurers, administrators, brokers, consultants and others to learn the key details of new Final Wellness Program regulations jointly published May 29, 2013 by the Departments of Health and Human Services, Labor and Treasury (collectively the “Agencies”) by participating in an informative and timely virtual briefing on “Making Wellness Programs Work Under New Final Tri-Agency Regulations” on June 4, 2013.

New final wellness program regulations jointly published May 29, 2013 by the Departments of Labor, Health & Human Services and Labor tell employers and insurers how to design health risk assessment and other wellness and disease management tools in their group health plans and policies to incentivize and reward employees and other plan members to better manage their health and help manage health plan costs without violating the HIPAA Portability Rules against group health plan discrimination in premiums or eligibility based on health status.

Participants in this briefing will learn key information about:

  • The final wellness program regulation’s requirements for designing HRA and other group health plan wellness and disease management programs that avoid violating HIPAA’s prohibition against discrimination based on health factors as “bona fide wellness programs;”
  • How group health plans can take advantage of the option allowed beginning in 2014 to offer greater incentives to plan members to participate in group health plan wellness programs by amendments made under the Patient Protection and Affordable Care Act;
  • How new Omnibus HIPAA Privacy Rules may require group health plans and insurers to update their marketing and other privacy policies, procedures, documentation, vendor agreements and other practices for collecting, using, disclosing and safeguarding “personal health information” and “genetic health information” when administering wellness programs and other group health plan provisions;
  • When the EEOC views wellness programs incentives as potentially violating the Americans With Disabilities Act discrimination exposures under the Equal Employment Opportunity Commission’s (EEOC’s) current interpretation of the employment discrimination rules of Americans With Disabilities Act (ADA) and GINA; and
  • Other tips for designing legally compliant, effective group health plan disease management and wellness programs.

Ms. Stamer also will take questions from virtual audience participants as time permits.

About The Speaker

A Fellow in the American College of Employee Benefits Counsel, recognized in International Who’s Who, and Board Certified in Labor & Employment Law, attorney and health benefit consultant Cynthia Marcotte Stamer has  25 years experience advising and representing private and public employers, employer and union plan sponsors, employee benefit plans, associations, their fiduciaries, administrators, and vendors, group health, Medicare and Medicaid Advantage, and other insurers, governmental leaders and others on health and other employee benefit. employment, insurance and related matters. A well-known and prolific author and popular speaker Board Certified in Labor & Employment Law, Ms. Stamer presently serves as Co-Chair of the ABA RPTE Section Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Representative, an Editorial Advisory Board Member of the Institute of Human Resources (IHR/HR.com), Insurance Thought Leadership,com and Employee Benefit News, and various other publications.  With extensive domestic and international regulatory and public policy experience, Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on health and other employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, as well as state legislatures, attorneys general, insurance and labor departments, and other agencies and regulators. A prolific author and popular speaker, Ms. Stamer regularly authors materials and conducts workshops and professional, management and other training and serves on the faculty and planning committees of a multitude of symposium and other educational programs.  See http://www.CynthiaStamer.com. for more details.

Registration

Registration Fee is $95.00 per person   Registration required for each virtual participant. Payment required via website registration in advance of the program..  Payment only accepted via website PayPal.  No checks or cash accepted.  Participation is limited and available on a first come, first serve basis.  Persons not registered at least 24 hours in advance not guaranteed to receive access information or materials prior to commencement of the briefing.

Equipment Requirements For Virtual Briefing Participation

This briefing will be conducted via WebEx over the internet.  Participants may have the opportunity to participate via telephone, provided that participants electing to participate may incur added charges for telephone connectivity.  Solutions Law Press, Inc. is not responsible for any power or system failures.  Solutions Law Press, Inc. also expects to offer the opportunity for individuals unable to participate in the live briefing to listen to a recording of the briefing beginning approximately one week after the program via the Internet by registering, paying the required registration fee and following listening instructions received in response to such registration.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives.  Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs.  For additional information about upcoming programs, to inquire about becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com   These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship,  to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com.  If you would prefer not to receive communications from Solutions Law Press, Inc. send an e-mail with “Solutions Law Press Unsubscribe” in the Subject to support@solutionslawyer.net.  CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request.   ©2013 Solutions Law Press, Inc.  All rights reserved.

Comments Off on Register For 6/4 Virtual Briefing On DOL/IRS/HHS Final Group Health Plan Wellness Program Regulations | ADA, Affordable Care Act, Claims Administration, Corporate Compliance, Disability, EEOC, EEOC, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, GINA, Health Plans, HIPAA, Human Resources, MEWA, Tax, Wellness Programs | Tagged: , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Beware: Not All Products Marketed As “Fixed Indemnity Coverage” Products Are HIPAA/ACA Exempt

May 26, 2013

Verify Character and Implications of Proposed Features and Products Alone & In Conjunction With Overall Benefit Design To Avoid Unexpected Exposures

As employer and other plan sponsors, insurers, and their service providers continue to struggle to understand and select the health plan options legally allowed when the next wave of the Patient Protection & Affordable Care Act (ACA) health care reforms take effect on January 1, 2014, recent guidance from the Departments of Health & Human Services, Internal Revenue Service and Department of Labor (Tri-Agencies) warn employers and others considering using “hospital indemnity,” “fixed indemnity insurance” or other arrangements characterized as qualifying as “exempted benefits” for purposes of ACA and the portability requirements of the Health Insurance Portability & Accountability Act of 1996 (HIPAA). See FAQS About Affordable Care Act Implementation XI (Q7) (hereafter “FAQ XI”).  

The group health mandates of the HIPAA portability rules and ACA generally apply to group health plans covering two or more individuals that does not otherwise qualify as an exempt plan under the applicable regulations. 

In FAQ XI, the Tri-Agencies report, “The Departments have noticed a significant increase in the number of health insurance policies labeled as fixed indemnity coverage.  Noting that “[v]arious situations have come to the attention of the Departments where a health insurance policy is advertised as fixed indemnity coverage” that do not “Meet the conditions for excepted benefits,” FAQ XI warns, “The Departments plan to work with the States to ensure that health insurance issuers comply with relevant requirements for different types of insurance policies and provide consumers the protections of the Affordable Care Act.

The warning of the overly aggressive characterization of certain arrangements as fixed indemnity coverage exempt from HIPAA and ACA mandates comes with acknowledgement that legitimate fixed indemnity coverage under a group health plan that actually meets the conditions outlined in 26 CFR 54.9831-1(c)(4), 29 CFR 732(c)(4), 45 CFR 146.145(c)(4) are exempt from the obligation to comply with the ACA and HIPAA portability mandates of title XXVI of the PHS Act, part 7 of ERISA and chapter 100 of the Code as excepted benefits under PHS Act section 2791(c)(3)(B), ERISA section 733(c)(4), and Code section 9832(c)(3)(B).

Under Treasury Regulation § 54.9831–1(c)(4), however, “coverage for only a specified disease or illness (for example, cancer-only policies) or hospital indemnity or other fixed indemnity insurance” only qualifies for exemption from ACA and the HIPAA Portability mandates if it meets each of following conditions:

  • To be hospital indemnity or other fixed indemnity insurance, the insurance must pay a fixed dollar amount per day (or per other period) of hospitalization or illness (for example, $100/day) regardless of the amount of expenses incurred
  • The benefits are provided under a separate policy, certificate, or contract of insurance;
  • There is no coordination between the provision of the benefits and an exclusion of benefits under any group health plan maintained by the same plan sponsor; and
  • The benefits are paid with respect to an event without regard to whether benefits are provided with respect to the event under any group health plan maintained by the same plan sponsor.

FAQ XI alerts insures, plan fiduciaries and plan sponsors that the Tri-Agencies are aware that certain insurers are marketing group insurance policies characterized as exempt “fixed indemnity insurance” which do not meet these requirements. 

The primary problem discussed by the regulators at this point appears to relate to the benefits offered under these arrangements. 

In FAQ XI , the Tri-Agencies state: “Various situations have come to the attention of the Departments where a health insurance policy is advertised as fixed indemnity coverage, but then covers doctors’ visits at $50 per visit, hospitalization at $100 per day, various surgical procedures at different dollar rates per procedure, and/or prescription drugs at $15 per prescription. In such circumstances, for doctors’ visits, surgery, and prescription drugs, payment is made not on a per-period basis, but instead is based on the type of procedure or item, such as the surgery or doctor visit actually performed or the prescribed drug, and the amount of payment varies widely based on the type of surgery or the cost of the drug. Because office visits and surgery are not paid based on “a fixed dollar amount per day (or per other period),” a policy such as this is not hospital indemnity or other fixed indemnity insurance, and is therefore not excepted benefits. When a policy pays on a per-service basis as opposed to on a per-period basis, it is in practice a form of health coverage instead of an income replacement policy. Accordingly, it does not meet the conditions for excepted benefits.”

These warning reaffirm guidance already contained  in Treasury Regulation § 54.9831–1(c)(4), which provides:  Example. (i) Facts. An employer sponsors a group health plan that provides coverage through an insurance policy. The policy provides benefits only for hospital stays at a fixed percentage of hospital expenses up to a maximum of $100 a day. (ii) Conclusion. In this Example, even though the benefits under the policy satisfy the conditions in paragraph (c)(4)(ii) of this section, because the policy pays a percentage of expenses incurred rather than a fixed dollar amount, the benefits under the policy are not excepted benefits under this paragraph (c)(4). This is the result even if, in practice, the policy pays the maximum of $100 for every day of hospitalization.”

As the Tri-Agencies have expressed awareness and concern that certain insurers may be advertising that certain health insurance policies qualify as exempted fixed indemnity coverage which offers benefits structured in a way that the Tri-Agencies do not view as fulfilling the requirements for exemption, insurers, health plan sponsors and fiduciaries, brokers and others considering or using insurance policies or health plan designs that rely upon assumptions that an arrangement is exempt from HIPAA and ACA as “fixed indemnity coverage” or other wise exempt from these rules are urged to seek assistance of qualified legal counsel experienced with characterization and use of these arrangements in connection with health plan designs to verify the accuracy of the arrangements characterization and implications when used in connection with the intended plan design.

Mistaken characterization of plans as exempt which are not create significant potential exposures for plan sponsors and fiduciaries, as well as the insurers, broker and consultants that recommend or participate in their delivery.  For instance, an incorrect assumption that an arrangement qualifies as an exempted fixed indemnity product creates a significant likelihood that the employer of other plan and its sponsors and fiduciaries could incur liability under the Employee Retirement Income Security Act  (ERISA), the Internal Revenue Code and/or the Public Health Services Act for failing to comply with mandates assumed inapplicable based on faulty assumptions.  Meanwhile insurers, brokers and other regulated in the insurance industry also could face exposures not only for potential compliance deficiency but also for misrepresentation of the nature and character of the products or other business practices regulated by applicable state insurance regulators.  Accountants and others subject to professional ethics requirements imposed under the Code such as Circular 230 also could incur exposure under those rules as many of these rules involve the provision of tax advice potentially subject to these requirements. 

Because the character of these and other arrangements often depends not only on the label applied, but also on both the structure of the product and the manner in which it is used, deployed and administered in conjunction with other elements of the health and cafeteria plans offered by an employer, this analysis should include both a detailed review of the particular product itself and a holistic analysis of the manner in which it will be used on the overall health and other benefit design contemplated.  Therefore,

When reviewing these and other proposed “solutions,” health plan sponsors and fiduciaries, insurers, administrators, brokers and others should ensure that arrangements and their proposed products in form and in structure in fact meet all requirements for characterization and use in the way proposed and that the users fully understand all compliance and liability obligations resulting from the proposed arrangements both in its free-standing form, and as implemented along with other health benefits, cafeteria plan, and other related arrangements.

For Help or More Information

If you need help with preparing these or other ACA compliance or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters including extensive experience on HIPAA and other privacy and data security issues.

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns.

Extensively published and a popular speaker on health and other employee benefit and insurance matters, Ms. Stamer works extensively with \health plans, employers, insurance and financial services, health care, technology and other clients on ACA and other health benefit, insurance, employee benefit and workforce matters. 

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C.  Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved

Comments Off on Beware: Not All Products Marketed As “Fixed Indemnity Coverage” Products Are HIPAA/ACA Exempt | 105(h), Consumer Protection, Employee Benefits, Employers, ERISA, Excise Tax, Health Plans, Human Resources, Insurance, Reporting & Disclosure, Tax, Uncategorized | Tagged: , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Group Health Plans &No-Fault & Worker’s Comp Ruled Primary Plans When Coordinating With Medicare Advantage Plans

May 9, 2013

Group health plans and liability, no-fault and worker’s compensation insurers should confirm they are properly coordinating benefits with Medicare Advantage organizations (MAOs) to avoid a private cause of action for double damages to recover amounts under the Medicare Secondary Payer Act (MSP Act) in light of the U.S. Supreme Court’s denial of certiorari on an appeal of the Third Circuit’s decision in In Re Avandia Marketing Sales Practices GlaxoSmithKline LLC v. Human Medical Plans, Inc.  (Glaxo).  The Supreme Court’s decision denying certiorari reported here lets stand a Third Circuit decision that the private right of action provision in the MSP Act, set forth at 42 U.S.C. 1395y(b)(3), gives Humana a private cause of action as a primary plan against GSK to recover the double damage award.

MSP Act Secondary Payor Rules Require Proper Coordination

The MSP Act contains specific rules about when and how group health plans, automobile and liability insurance, no fault insurance policies and amounts recovered from tort actions are coordinated with benefits under the Medicare Statute.  The MSP Act’s Secondary Payor Rules require group health plans, automobile and liability insurance and  no fault insurance policies to treat their coverage as  the “primary plan” for purposes of coordinating their coverage with the benefits provided under the Medicare Statute under certain conditionsbenefits face double damage for improperly coordinating their benefits and coverage with those provided under the Medicare Statute.  The MSP Act generally dictates the conditions under which these coverages are primary to benefits provided under the Medicare Statute and obligates primary plans and individuals receiving judgment or settlements that include payment for medical expenses for which benefits were received under the Medicare Statute to repay Medicare. Violation of these rules exposes the applicable plan to double damages and other costs of recovery.

Glaxo On MA Plan MSP Act Rights

In Glaxo, the Third Circuit ruled that MAOs can sue primary plans under the MSP Act for double damages when a primary plan fails to appropriately reimburse the MAO as a secondary payor.

In Glaxo, Humana Medical Plan Inc. and Humana Insurance Company (collectively, Humana) sued GlaxoSmithKline LLC and GlaxoSmithKline PLC (collectively, GSK) for reimbursement of expenses Humana incurred from injuries its MA members sustained from use of GSK’s type 2 diabetes drug, Avandia. GSK has paid more than $460 million to Avandia patients settle patient claims that Avandia patients sustained heart attacks, strokes or other injuries from taking the drug.  In the settlement, GSK reserved monies to reimburse the Medicare Trust Fund for payments it made to cover the costs of treatment for the Medicare fee-for-service (FFS) enrollees’ Avandia-related injuries but did not set aside funds for reimbursement to MAOs. Humana sued GSK for reimbursement, claiming that GSK has a primary plan obligation under the MSP Act to reimburse Humana as a secondary payor.

The Supreme Court’s decision not to review the appeal from this Third Circuit decision means that in the Third Circuit (and perhaps other jurisdictions), MAOs can pursue an action for double damages under the Medicare Secondary Payor Act against a group health plan, no-fault carrier or worker’s compensation insurer that fails to fulfill its obligation as a primary plan to reimburse Medicare conditional payments paid by the MAO.

The Third Circuit’s decision in Glaxo is distinguishable from the Ninth Circuit’s position on a similar issue in Parra v. PacifiCare of Arizona, Inc.   (PacifiCare), where the 9th Circuit ruled PacifiCare did not have a private right of action under the MA statute or under 42 U.S.C. 1395y(b)(3)(A) against the surviving family members for amounts recovered in a wrongful death action since that provision of the MSP Act only applies in cases where a primary plan fails to reimburse an insurer as a secondary payor.

Proper identification and payment of claims and settlements in coordination with MAOs and their Plans is important because improper coordination may expose a group health plan or other primary payer to double damage liability, attorneys fees’ and other costs.

In light of Glaxo, group health plans and their administrators, and group health insurers, worker’s compensation insurers, and liability insurers should ask if asking Medicare beneficiares if they are or have been enrolled in a MA plan when paying or processing claims and if so, act proactively to ensure that payments under their programs are properly processed and paid to take into account responsibilities under the Medicare Secondary Payer rules.  Determination and handling these types of payments and settlements likely will require special handling because the Medicare Secondary Payer system currently doesn’t distinguish MA Plans as primary plans.  Accordingly, group health plans and the fiduciaries and administrators involved in their administration will want to take proper steps to identify claims that may involve individuals covered by MA Plans in a manner that allows the group health plan to track and distinguish the coverage provided by the MA Plan from other insurance coverage as needed to comply with the MSP Act.

For Help or More Information

If you need help with the MSP Act or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters including extensive experience on HIPAA and other privacy and data security issues. 

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns. 

Extensively published and a popular speaker on HIPAA and other data security matters, Ms. Stamer works extensively with health care providers, health plans, employers, insurance and financial services, technology and other clients on privacy, data seurity and other privacy and cybercrime concerns.  She also serves as the Scribe for the ABA JCEB Agency Techical Sessions Meetings with the Office of Civil Rights which occur each May in Washington, D.C.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C.  Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved

Comments Off on Group Health Plans &No-Fault & Worker’s Comp Ruled Primary Plans When Coordinating With Medicare Advantage Plans | Employee Benefits, Employers, ERISA, Excise Tax, Health Plans, Human Resources, Insurance, Tax, Uncategorized | Tagged: , , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Former White House Cybersecurity Coordinator Schmidt, Stamer & Others Share Key HIPAA & Other Privacy & Data Security Insights 5/21 In LA

May 3, 2013

Former White House Cybersecurity Coordinator Howard Schmidt and Solutions Law Press, Inc. editor attorney Cynthia Marcotte Stamer are two of an impressive lineup of leaders scheduled to share key HIPAA & other privacy and data security compliance and risk management strategies at the Healthcare HITECH Privacy and Security Summit at the Fifth Annual Information Security Summit on May 21 in Los Angeles.

The Healthcare HITECH Privacy and Security Summit will bring together leaders in Privacy and Security within government and private industry for a day of collaboration, networking and presentations by leading Privacy and Security professionals sharing who HIPAA covered entities and business associates need to know to  comply with new HITECH rules and  OCR investigations.

Solutions Law Press, Inc. editor attorney Cynthia Marcotte Stamer will help lay the foundation for the workshop by briefing participants on changes made to HIPAA rules by the new Omnibus HIPAA Rulemaking changes that the Office of Civil Rights (OCR) plans to start enforcing in September, 2013.

With  the rapidly approaching and privacy and data breach penalties and enforcement rising, health care providers, health plans, health care clearinghouses and their business associates must get moving to update business associate contracts, policies and notices and processes to meet changing HIPAA rules while managing ongoing compliance and risks. 

Stamer Speaks On Latest HIPAA Privacy, Security, Breach Notification & Enforcement Rules & Developments

Armed with the latest insights from serving as the scribe for the ABA JCEB annual agency meeting with the Office of Civil Rights (OCR), Ms. Stamer, a practicing attorney and widely published author and speaker, will discuss required changes and other recommended steps and strategies that covered entities and their business associates should take to maintain HIPAA compliance and manage HIPAA and other related risks  in light of the Omnibus HIPAA Rulemaking changes, new OCR guidance for health care providers about disclosures to avert threats to health or safety, recent audit and enforcement activities and other changing risks and responsibilities including:

  • The latest on OCR’s regulatory guidance, audit and investigation and enforcement rules, actions and strategies and their implications on covered entities and business associates;
  • Changes to breach notification rules and their implications on covered entities and their business associates;
  • Practical implications of new rules on who is covered and their responsibilities;
  • Required and recommended updates to policies, business associate and other agreements, privacy notices and other HIPAA compliance arrangements;
  • Effective training and other risk management strategies;
  • Planning for, investigating and mitigating PHI privacy breaches and other compliance concerns under new rules other selected events; and
  • Other selected strategies for coordinating HIPAA and other privacy and data breach responsibilities and risk management; and
  • Participant questions.

For a complete agenda, to register, to get details on sponsorship or for other information, see here.

For Help or More Information

If you need help with the HIPAA, Affordable Care Act or other 2014 health plan compliance, risk management or defense, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters including extensive experience on HIPAA and other privacy and data security issues. 

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns. 

Extensively published and a popular speaker on HIPAA and other data security matters, Ms. Stamer works extensively with health care providers, health plans, employers, insurance and financial services, technology and other clients on privacy, data seurity and other privacy and cybercrime concerns.  She also serves as the Scribe for the ABA JCEB Agency Techical Sessions Meetings with the Office of Civil Rights which occur each May in Washington, D.C.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

For important information about this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C.  Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved

Comments Off on Former White House Cybersecurity Coordinator Schmidt, Stamer & Others Share Key HIPAA & Other Privacy & Data Security Insights 5/21 In LA | Employee Benefits, Employers, ERISA, Excise Tax, Health Plans, Human Resources, Insurance, Tax, Uncategorized | Tagged: , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Strengthen Health Plan Privacy Compliance & Risk Management Using Lessons From New OCR Provider & Consumer Tools

April 30, 2013

Get More Key Information By Participating in 5/21 Workshop In LA

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has developed an array of new tools to educate consumers and health care providers about the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.  

Many consumers are unfamiliar with their rights under the HIPAA Privacy Rule.  With that in mind, OCR has posted a series of factsheets, also available in eight languages, to inform consumers about their rights under the HIPAA Privacy Rule. These materials are available on OCR’s website here

The fact sheets compliment a set of seven consumer-facing videos released earlier this year on OCR’s YouTube channel.  An additional video, The HIPAA Security Rule, has been designed for providers in small practices and offers an overview of how to establish basic safeguards to protect patient information and comply with the Security Rule’s requirements. The videos are available on the HHS OCR YouTube Channel at here.

OCR has also launched three modules for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules, available at Medscape.org:

  • Patient Privacy: A Guide for Providers at here;
  • HIPAA and You: Building a Culture of Compliance here; and
  • Examining Compliance with the HIPAA Privacy Rule here.

The Medscape modules offer free Continuing Medical Education (CME) credits for physicians and Continuing Education (CE) credits for health care professionals. 

Although the materials are primarily consumer and provider focused, health plans and their sponsors, fiduciaries, administrators, business associates and others in the health plan workforce should review and incorporate the materials and principles contained in these materials as part of their own HIPAA compliance efforts.  With the deadline to comply with recent amendments to the HIPAA rules in September, 2013 and enforcement and penalties rising,  the insights and resources provided these rules can help strengthen compliance efforts.

Participate In 5/21 Workshop In LA To Get Other Key Information Needed To Update Compliance & Risk Management

With the September 23, 2013 enforcement date of the new Omnibus HIPAA Rulemaking changes rapidly approaching and privacy and data breach penalties and enforcement rising, health care providers, health plans, health care clearinghouses and their business associates must get moving to update business associate contracts, policies and notices and processes to meet changing HIPAA rules while managing ongoing compliance and risks. 

Armed with the latest insights from serving as the scribe for the ABA JCEB annual agency meeting with the Office of Civil Rights (OCR), attorney and author Cynthia Marcotte Stamer will discuss required changes and other recommended steps and strategies that covered entities and their business associates should take to maintain HIPAA compliance and manage HIPAA and other related risks  in light of the Omnibus HIPAA Rulemaking changes, new OCR guidance for health care providers about disclosures to avert threats to health or safety, recent audit and enforcement activities and other changing risks and responsibilities including:

  • The latest on OCR’s regulatory guidance, audit and investigation and enforcement rules, actions and strategies and their implications on covered entities and business associates;
  • Changes to breach notification rules and their implications on covered entities and their business associates;
  • Practical implications of new rules on who is covered and their responsibilities;
  • Required and recommended updates to policies, business associate and other agreements, privacy notices and other HIPAA compliance arrangements;
  • Effective training and other risk management strategies;
  • Planning for, investigating and mitigating PHI privacy breaches and other compliance concerns under new rules other selected events; and
  • Other selected strategies for coordinating HIPAA and other privacy and data breach responsibilities and risk management; and
  • Participant questions.         

To register, review the agenda, get details on sponsorship or for other information, see here.

For Help or More Information

If you need help with the SBC or other 2014 health plan decision-making or preparation, or with reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 25 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters including extensive experience on HIPAA and other privacy and data security issues. 

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns. 

Extensively published and a popular speaker on HIPAA and other data security matters, Ms. Stamer works extensively with health care providers, health plans, employers, insurance and financial services, technology and other clients on privacy, data seurity and other privacy and cybercrime concerns.  She also serves as the Scribe for the ABA JCEB Agency Techical Sessions Meetings with the Office of Civil Rights which occur each May in Washington, D.C.

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

 

For important information about this communication click here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2013 Cynthia Marcotte Stamer, P.C.  Nonexclusive license to republish granted to Solutions Law Press, Inc.  All other rights reserved

Comments Off on Strengthen Health Plan Privacy Compliance & Risk Management Using Lessons From New OCR Provider & Consumer Tools | Employee Benefits, Employers, ERISA, Excise Tax, Health Plans, Human Resources, Insurance, Tax, Uncategorized | Tagged: , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

OCR Gives HIPAA Guidance On Safety Disclosures

January 17, 2013

Tbe Office of Civil Rights (OCR) has issued a letter to health care providers to ensure that they are aware of their ability under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to take action, consistent with their ethical standards or other legal obligations, to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when they believe the patient presents a serious danger to himself or other people.  For more information, see: http://www.hhs.gov/ocr/office/lettertonationhcp.pdf.  The Guidance is released on the same day that OCR released its long-awaited omnibus restatement of its HIPAA regulations.

HIPAAFor Help With Compliance, Risk Management, Investigations, Policy Updates Or Other Needs

If you need help with HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other human resources, employee benefit, or other compliance, risk management, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Nationally recognized for her extensive work, publications and leadership on HIPAA and other privacy and data security concerns, Ms. Stamer has extensive experience representing, advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical and other privacy and data security, employment, employee benefits, and to handle other compliance and risk management policies and practices; to investigate and respond to OCR and other enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

A Fellow in the American College of Employee Benefit Counsel, State Bar of Texas and American Bar Association, Vice President of the North Texas Health Care Compliance Professionals Association, the Former Chair of the ABA RPTE Employee Benefit & Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Council Representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer serves as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR. Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights  on HIPAA and other data privacy and security concerns appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, Ms. Stamer for the third year will serve in 2013 as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR.  Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, SHRM, HIMMS, the American Bar Association, the Health Care Compliance Association, a multitude of health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

In addition to this extensive HIPAA specific experience, Ms. Stamer also is recognized for her experience and skill aiding clients with a diverse range of other employment, employee benefits, health and safety, public policy, and other compliance and risk management concerns. 

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, a member of the Editorial Advisory Board and expert panels of HR.com, Employee Benefit News, InsuranceThoughtLeadership.com, and Solutions Law Press, Inc., management attorney and consultant Ms. Stamer has 25 years of experience helping employers; employee benefit plans and their sponsors, administrators, fiduciaries; employee leasing, recruiting, staffing and other professional employment organizations; and others design, administer and defend innovative workforce, compensation, employee benefit  and management policies and practices.   Ms. Stamer often has worked, extensively on these and other workforce and performance related matters.  In addition to her continuous day-to-day involvement helping businesses to manage employment and employee benefit plan concerns, she also has extensive public policy and regulatory experience with these and other matters domestically and internationally.  A former member of the Executive Committee of the Texas Association of Business and past Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, Ms. Stamer served as a primary advisor to the Government of Bolivia on its pension privatization law, and has been intimately involved in federal, state, and international workforce, health care, pension and social security, tax, education, immigration, education and other legislative and regulatory reform in the US and abroad.  She also is recognized for her publications, industry leadership, workshops and presentations on these and other human resources concerns and regularly speaks and conducts training on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For more information about Ms. Stamer and her experience or to get access to other publications by Ms. Stamer see here or contact Ms. Stamer directly. 

For help  with these or other compliance concerns, to ask about compliance audit or training, or for legal representation on these or other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here

About Solutions Law Press, Inc.

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested in exploring other Solutions Law Press, Inc. ™ tools, products, training and other resources here and reading some of our other Solutions Law Press, Inc.™ human resources news here including the following:

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press, Inc.™  All other rights reserved.

Comments Off on OCR Gives HIPAA Guidance On Safety Disclosures | Data Security, GINA, Health Plans, Insurance | Tagged: | Permalink
Posted by Cynthia Marcotte Stamer

Catch Up On Health Reform & Other Key Employee Benefits & Insurance Issues Emerging Issues and Litigation Relating to Life, Health, Disability and ERISA Symposium In Ft. Lauderdale

December 7, 2012

Cynthia Marcotte Stamer will be one of the featured panelists discussing “Implications of PPACA” on January 18, 2013 at the American Bar Association Tort Trial & Insurance Practice Section’s (TIPS) 39th Annual TIPS Midwinter Symposium on Insurance and Employee Benefits “Emerging Issues and Litigation Relating to Life, Health, Disability and ERISA” in Fort Lauderdale.

The “Implications on PPACA” program scheduled at 3:30 p.m. on January 18, 2012 is one of many content-rich series of programs on employee benefit and insurance issues that leading practitioners will lead during the Symposium W Hotel Fort Lauderdale in Fort Lauderdale, FL on January 17-19, 2013.  To register, review the full agenda or get additional information about the Symposium, see here.

About Ms. Stamer

Managing Editor of Solutions Law Press, Inc. and a noted Texas-based employee benefits and employment lawyer with extensive involvement in the leadership of the ABA and other professional organizations involved in employee benefits, health care and workforce matters, is nationally and internationally known for her knowledgeable and creative leadership and work as an attorney, consultant, policy advocate, speaker and author helping businesses, governments, and communities on health and other insurance and employee benefits, patient education and empowerment, wellness and disease management, and other programs, policies, and processes.  For more than 24 years, Ms. Stamer’s legal practice has focused on advising and representing employers, insurers, health care providers, community leaders and governments about health care and employee benefits policy and process improvement, quality, performance management, education, compliance, communications, risk management, reimbursement and finance, and other related matters.  In addition to her legal practice, Stamer also extensively consults and provides leadership to a broad range of clients, professional and civic organizations, and others on strategies for improving the health care system and the ability of health care providers, payers, employers, community organizations, government agencies to promote the ability of patients and their families to access cost-effective, quality, affordable health care and other resource needs.  She also has worked extensively with a broad range of business and government clients on health care, pension, social security, workforce, insurance and many other related policy matters.

In addition to her service with TIPS, Ms. Stamer also is active in the leadership of a broad range of other professional and civil organizations. For instance, Ms. Stamer presently serves as Executive Director of Project COPE, the Coalition on Patient Empowerment and the Coalition for Responsible Healthcare Policy; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Committee and its representative to the ABA Joint Committee on Employee Benefits and Vice Chair of its Welfare Benefits Committee; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; and as the Gulf Coast TEGE Council TE Committee Coordinator.  She previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early retirement intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association; on many seminar faculties and in many other professional and civic leadership and volunteer roles. 

Author of the hundreds of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. Nationally known for her work on health care reform and related matters, Ms. Stamer also regularly conducts training and speaks on these and other  management, compliance and public policy concerns.  For more information about Ms. Stamer, upcoming training, publications or other materials or events, see here  or contact Ms. Stamer directly via email here or (469) 767-8872.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.    If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2012 Cynthia Marcotte Stamer, P.C. All rights reserved.

Comments Off on Catch Up On Health Reform & Other Key Employee Benefits & Insurance Issues Emerging Issues and Litigation Relating to Life, Health, Disability and ERISA Symposium In Ft. Lauderdale | 105(h), Affordable Care Act, CHIP, COBRA, Disability, Disability, Employee Benefits, Employers, Employment Tax, ERISA, Excise Tax, Fiduciary Responsibility, FMLA, Health Care Reform, Health Plans, HIPAA, Human Resources, Income Tax, Insurance, Malpractice, Medicare Part D, Mental Health, Mental Health Parity, Patient Empowerment, Patient Protection and Affordable Care Act, Payroll Tax, Preemption, Prescription Drugs, Protected Health Information, Reporting & Disclosure, Tax Credit, Wellness Programs | Tagged: , , | Permalink
Posted by Cynthia Marcotte Stamer

New OCR HIPAA De-Identification Guidance Among Developments Covered In 12/12 HIPAA Update Web Workshop

November 27, 2012

Get Up To Date On Details of New De-Identification Guidance & Other HIPAA Developments By Participating In 12/12 HIPAA Update Web Workshop

Health care providers, health plans, health care clearinghouses (covered entities) and their business associates and leadership should check and update their policies and practices for the de-identification of protected health information (PHI) in light of newly-released Guidance Regarding Methods for De-identification of Protected Health Information in Accordance With the Health Insurance Portability and Accountablity Act (HIPAA) Privacy Rule (Guidance) released by the Department of Health & Human Services (HHS) Office of Civil Rights yesterday (November 26, 2012). 

Solutions Law Press, Inc. will host a one-hour, online HIPAA Update Workshop on the Guidance and other recent regulatory and enforcement developments under HIPAA for covered entities and their business associates on Wednesday, December 12 beginning at Noon Central Time. To register, see here.

PHI collected by health care providers, health plans, their management, sponsors, and vendors often includes a wealth of information valuable for use for functions unrelated to the HIPAA-covered functions and activities that leads covered entities or their business associates to collect or keep this data.  While it might be tempting to repurpose this information for business planning and marketing purposes, covered entities and their business partners or associates frequently assume that covered entities and others that they deal with must take proper steps to that no PHI is used, accessed, disclosed or shared unless that action is allowed under the Privacy Rules, properly de-identified, or both.

When planning to rely upon the de-identification of PHI to engage in these activities,  parties planning to rely upon HIPAA’s exception for de-identified PHI will want to consult new guidance just released by OCR about the de-identification requirements before moving forward. Existing Privacy Rules and the Guidance recognize two alternative methods that covered entities and their business can use to properly de-identify PHI for purposes of the HIPAA Privacy Rule.

OCR published the Guidance to help covered entities to understand what qualifies as de-identification, the general process by which de-identified information is created, and the options available for performing de-identification for purposes of the HIPAA Privacy Rule.  The publication of this guidance was mandated as part of amendments to HIPAA enacted by Health Information Technology for Economic and Clinical Health (HITECH) Act included in the American Recovery and Reinvestment Act of 2009 (ARRA).  Section 13424(c) of the HITECH Act requires the HHS to issue guidance on how best to implement the requirements for the de-identification of health information contained in the Privacy Rule.  

De-identification & Its Rationale Under Privacy Rule

The Privacy Rule was designed to protect individually identifiable health information through permitting only certain uses and disclosures of PHI provided by the Rule, or as authorized by the individual subject of the information.  However, in recognition of the potential utility of health information even when it is not individually identifiable, §164.502(d) of the Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications in Privacy Rule §164.514(a)-(b).  These provisions allow the entity to use and disclose information that neither identifies nor provides a reasonable basis to identify an individual provided the Covered Entity can show that the PHI has been de-identified in accordance with either the Expert Determination Method or the Safe Harbor Method of the de-identification standard of the Privacy Rule and is not re-identified.  Regardless of the method used to de-identify PHI, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered PHI and is not re-identified.

Privacy Rule De-Identification Implementation Standards Permit Alternative Methods of De-identification

Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information.  Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual. See Privacy Rule § 164.514.

Sections 164.514(b) and (c) of the Privacy Rule contain the implementation specifications that a covered entity must follow to meet the de-identification standard. As summarized in Figure 1, the Privacy Rule provides two methods by which health information can be designated as de-identified:

  • The formal determination by a qualified expert in accordance with the Privacy Rule (Expert Determination Method); or
  • The removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (Safe Harbor Method).

In order for PHI to qualify as de-identified under the “Expert Determination Method, Privacy Rule § 164.514(b)(1) requires that a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

  • Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
  • Documents the methods and results of the analysis that justify such determination.

Alternatively, Privacy Rule § 164.514(b)(2) provides that PHI will qualify as de-identified under the Safe Harbor Method if:

  • All of an extensive list of identifiers of the individual or of relatives, employers, or household members of the individual, are removed from the data; and
  • The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

As long as the data is not re-identified, the Guidance indicates that a covered entity may prove fulfillment of the de-identification standard of Privacy Rule §164.514(a) by showing satisfaction of all applicable requirements of either method.  Under the Privacy Rule, de-identified health information created following these methods is no longer protected by the Privacy Rule because it does not fall within the definition of PHI.  Of course, de-identification leads to information loss which may limit the usefulness of the resulting health information in certain circumstances. Consequently, covered entities may wish to select de-identification strategies that minimize such loss.

Both alternatives for de-identification under the Privacy Rule require that covered entities and their business associates decide whether and how to keep the option for re-identification of PHI slated for de-identification and where applicable, appropriately manage the re-identification opportunity and data to avoid violation of the Privacy Rule.

According to the Privacy Rule, if a covered entity or business associate successfully undertook an effort to identify the subject of de-identified information it maintained, the health information now related to a specific individual would again be protected by the Privacy Rule, as it would meet the definition of PHI.  Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified is also considered a disclosure of PHI.  In this regard, Privacy Rule §164.514(c) specifies that if the covered entity assigns a code or other means of  record identification to allow information de-identified under this section to be re-identified by the covered entity, themeans of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; it can’t use elements of the protected PHI as the re-identification key,must safeguard the key, and can’t use or disclose the key or other re-identification tool for any other purpose.

Preparing For, Guiding & Documenting The De-identification Process For Defensibility

The Guidance stresses that importance of documentation for which values in health data correspond to PHI, as well as the systems that manage PHI and its risk of identification or re-identification in the de-identification process cannot be overstated. 

The Guidance provides guidance to help guide covered entities and their business associates through the steps and analysis of using the Expert Determination versus Safe Harbor Method.  A review of this Guidance makes clear that the design and administration of the de-identification process under either method requires careful and well-documented planning, analysis and implementation to fulfill and to keep the documentation that a covered entity or business associate might need to defend its decision to treat and use PHI as de-identified under the Privacy Rule against a potential audit or enforcement inquiry.  The Guidance also seeks to further illuminate the requirements for effective de-identification  through a series of questions and answers, supplemented by work flow and other charts, examples and other illustrations and tips on the proper use of each alternative Method and managing risks and the process associated with that Method. A Glossary of Terms also is shared.  The discussion in the Guidance makes clear that covered entities and their businesses associates using either Method to de-identify PHI should be prepared to make a number of judgments about which Method to use, whether and how to make arrangements for re-identification, and how to properly manage the process to meet the requirements of the implementation standard and manage re-identification or other risks.

Register For 12/12 HIPAA Update Web Workshop To Catch Up On De-Identification Guidance & Other HIPAA & Texas HIPAA Regulatory & Enforcement Developments

Training and compliance mandates applicable to covered entities and their business associates under the newly strengthened Texas HIPAA law and HIPAA’s Privacy and Breach Notification Rules make it more  important than ever that covered entities and their business associates get the timely training and other assistance needed  to properly comply with requirements for the protection of PHI under the new Guidance and other HIPAA and Texas  HIPAA mandates. 

To aid in this process,  Solutions Law Press, Inc. will host a  2012 HIPAA Update Web Workshop covering the new Guidance on de-identification and other regulatory and enforcement developments under HIPAA and the newly amended Texas HIPAA law on December 12, 2012 from 1:00 P.M.-2:00 P.M. Eastern | Noon – 1:00 P.M. Central | 11:00 A.M-Noon Mountain | 10:00A.M-11:00 A.M. Pacific Time.

Expanded health care privacy mandates of the Texas Medical Records Privacy Act that take effect September 1, 2012 and HIPAA regulations require covered entities and their business associates conduct training and take other steps to protect the privacy and security of PHI.

Complete HIPAA Training While You Catch Up On The Latest On HIPAA & Texas Medical Records Privacy Rules & Get Helpful Compliance And Risk Management Tips!

Health care providers, health plans, health care clearinghouses face new imperatives to strengthen their HIPAA and other procedures for handling protected health information and other sensitive information to manage expanding risks and responsibilities arising from evolving rules, expanding enforcement and oversight, and rising penalties and other liabilities. 

Expanded health care privacy mandates of the Texas Medical Records Privacy Act that take effect September 1, 2012 and HIPAA regulations require covered entities and their business associates conduct training and take other steps to protect the privacy and security of personal health information (PHI) and certain other information.

The $4.3 million HIPAA Civil Monetary Penalty and growing list of $1 million plus resolution payments announced by the Office of Civil Rights coupled with its commitment to investigate all large breaches reported under the HITECH Act Breach Notification Rule and other stepped up enforcement and newly initiated audit activities send a clear signal that HIPAA-covered entities and their business associates face significant exposures for failing to appropriately manage their HIPAA and other responsibilities when handling protected health information.  Meanwhile, Texas House Bill 300 has raised maximum state civil penalties for unlawful disclosures of Protected Health Information under the Texas Medical Records Privacy Act to from $5,000 to $1.5 million per year.  Meanwhile HITECH Act amendments to HIPAA require covered entities provide notification of certain breaches while Texas House Bill 300 adds its own specific requirements to provide notice of certain breaches of computerized data containing sensitive personal information.

With Texas House Bill 300 expanding covered entities responsibilities and liabilities and OCR issuing new regulations and other guidance to implement amendments to the HIPAA Privacy & Security Standards and implement and enforce the HITECH Act Breach Notification Rule, health care providers, health plans and insurers, their brokers, third-party administrators, and other covered entities, as well as their business associates and employer and union clients must review and tighten their policies, practices, business associate and other contracts, and enforcement to manage HIPAA and other compliance and manage risks arising from the access, collection, use, protection and disclosure of PHI to meet expanding mandates and to guard against growing liability exposures under HIPAA and other federal and state laws. 

Solutions Law Press, Inc. invites you to catch up on the latest on these and other key HIPAA requirements and enforcement and learn tips for managing risks and liabilities by participating in the “HIPAA Update Workshop” on Wednesday, December 12, 2012 via WebEx for a registration fee of $125.00. 

Pre-approved for various types of continuing and professional education credit, the December 12, 2012 HIPAA Update Workshop will brief participants on the De-Identification Guidance as well as the latest on other regulatory and enforcement guidance under the HIPAA Privacy, Security and Breach Notification rules and guidance and share compliance and risk management lessons emerging from recent OCR enforcement and audit activities and other selected federal and state litigation and enforcement actions impacting the handling of protected health information.  Among other things, the workshop will cover:

  • The De-Identification Guidance just released by OCR on November 26, 2012;
  • The latest HIPAA Privacy, Security & Breach Notification Guidance, Audits & Enforcement
  • Highlights Texas House Bill’s Amendments To Texas Medical Records Privacy Law That Took Effect September 1, 2012
  • Post HITECH Act Heightened Liability Risks:  Audits, Civil Penalties, Criminal Penalties & State Lawsuits
  • Expansion of HIPAA Responsibilities & Liabilities To Business Associates & What Covered Entities & Business Associates Should Do In Response
  • HIPAA Data Breach Notification Requirements
  • Practical Challenges & Strategies For Managing These Responsibilities
  • Tips For Coordinating HIPAA & Other Federal & State Medical Privacy, Financial Information, Identity Theft & Date Security Compliance and Risk Management
  • Practical Strategies For Monitoring & Responding To New Requirements & Changing Rules
  • Participant Questions

About The Speaker

The workshop will be conducted by attorney Cynthia Marcotte Stamer.  A Fellow in the American College of Employee Benefits Counsel, recognized in International Who’s Who, North Texas Health Care Compliance Professionals Association Vice-President and Board Certified in Labor & Employment Law, attorney  Cynthia Marcotte Stamer has 25 years experience advising and representing private and public health care providers, employers, employer and union plan sponsors, employee benefit plans, associations, their fiduciaries, administrators, and vendors, group health, Medicare and Medicaid Advantage, and other insurers, governmental leaders and others on privacy and data security, health care, health and other employee benefit. employment, insurance and related matters. A well-known and prolific author and popular speaker, Ms. Stamer has worked extensively with heath care providers, health plans and other payers, health and insurance IT and data systems, and others on HIPAA and other privacy and data security concerns.  She served as the scrivener for the ABA JCEB Agency Meetings with the Office of Civil Rights on HIPAA Privacy for the past two years.  She presently serves as Co-Chair of the ABA RPTE Section Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Representative, an Editorial Advisory Board Member of the Institute of Human Resources (IHR/HR.com) and Employee Benefit News, and various other publications.  A primary drafter of the Bolivian Social Security privatization law with extensive domestic and international regulatory and public policy experience, Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on HIPAA and other privacy and data security risks and requirements as well as a broad range of other health,  employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with OCR and other HHS agencies, as well as the Departments of Labor, Treasury, Federal Trade Commission, HUD and Justice, Congress and state legislatures, and various state attorneys general, insurance, labor, worker’s compensation, medical licensure and disciplinary and other agencies and regulators. A prolific author and popular speaker, Ms. Stamer regularly authors materials and conducts workshops and professional, management and other training on HIPAA and other privacy, health care, employee benefits, human resources, insurance and related topics for the ABA, Aspen Publishers, the Bureau of National Affairs (BNA), SHRM, World At Work, Government Institutes, Inc., the Society of Professional Benefits Administrators and many other organizations. Her insights on privacy and other matters are quoted in Modern Healthcare, HealthLeaders, Benefits, Caring for the Elderly, The Wall Street Journal and many other publications.  She also regularly serves on the faculty and planning committees of a multitude of symposium and other educational programs.  For more details about Ms. Stamer’s services, experience, presentations, publications, and other credentials or to ask about arranging counseling, training or presentations or other services by Ms. Stamer, see www.CynthiaStamer.com.

Registration

The Registration Fee is $125.00 per person.  Registration Fee Discounts available for groups of three or more. Pre-payment required via website registration required via website PayPal.  No checks or cash accepted.  Persons not registered at least 48 hours in advance will only participate subject to system and space availability.

 Continuing Education Credit

The HIPAA Update Workshop is approved to be offered for general certification credit by the State Bar of  Texas, Texas Department of Insurance, HRCI and WorldAtWork education credit  for the time period offered subject to fulfillment all applicable accrediting agency requirements, completion of required procedures.  Note that the applicable credentialing agency retain the final authority to determine whether an individual qualifies to receive requested continuing education credit.  Neither Solutions Law Press, Inc., the speaker or any of their related parties guarantees the approval of credit for any individual or has any liability for any denial of credit.  Special fees or other conditions may apply.  CANCELLATION   & REFUND POLICY:  In order to receive credit, cancellation (either fax or mail) must be received at least 48 hours in advance of the meeting and are subject to a $10.00 refund processing fee.  Refunds will be made within 60 days of receipt of written cancellation notice.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives.  Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs.  For additional information about upcoming programs, to explore becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com   These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship,  to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com.  If you would prefer not to receive communications from Solutions Law Press, Inc. send an e-mail with “Solutions Law Press Unsubscribe” in the Subject to support@solutionslawyer.net.  CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request.

©2012 Solutions Law Press, Inc. All Rights Reserved.

Comments Off on New OCR HIPAA De-Identification Guidance Among Developments Covered In 12/12 HIPAA Update Web Workshop | ADA, Civil Rights, Consumer Protection, Corporate Compliance, Data Security, Disease Management, Drug & Alcohol, Employers, ERISA, Fiduciary Responsibility, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Medicare Part D, Prescription Drugs, Privacy, Wellness Programs | Tagged: , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

$1.5 M HIPAA Security Breach Resolution Agreement Shows Looming HIPAA Risks

September 17, 2012

Health plans, health care providers, health care clearinghouses and their business associates have yet another $1 million plus reminder of the importance of taking proper steps to secure electronic protected health information and take other steps required to comply with the Health Insurance Portability & Accountability Act of 1996 (HIPAA).

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) will pay the U.S. Department of Health and Human Services’ (HHS) $1.5 million and take a series of corrective actions to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule under the resolution agreement available here (“Resolution Agreement”) announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) on September 17, 2012. 

MEEI Resolution Agreement

The Resolution Agreement settles charges that resulted from an OCR investigation commenced in response to a HIPAA breach report submitted by MEEI reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects.  The laptop information included patient prescriptions and clinical information. 

OCR’s investigation indicated that MEEI failed to take necessary steps to comply with certain requirements of the HIPAA Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices , and adopting and implementing policies and procedures to address security incident identification, reporting, and response.  OCR’s investigation indicated that these failures continued over an extended period of time, demonstrating a long-term organizational disregard for the requirements of the Security Rule.

To settle the charges, MEEI will pay a $1.5 million settlement to OCR.  In addition, the Resolution Agreement also requires MEEI to adhere to a corrective action plan which includes reviewing, revising and maintaining policies and procedures to ensure compliance with the Security Rule, and retaining an independent monitor who will conduct assessments of MEEI’s compliance with the corrective action plan and render semi-annual reports to HHS for a 3-year period.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The MEEI Resolution Agreement follows on the resolution agreements previously announced this year against a health plan and various health care providers, all but one of which resulted in a settlement agreement of more than $1 million.

For instance, earlier this year, OCR required that Blue Cross Blue Shield of Tennessee (BCBST) to pay $1.5 million to resolve HIPAA violations charges.

Like the PCS, BCBST and other announced resolution agreements, the MEEI Resolution Agreement provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s audit,  investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, evolving rules and technology, and other developments to determine if additional steps are necessary or advisable. For tips, see here.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

For the past two years, Ms. Stamer has served as the  scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR.   Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here.

©2012 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press, Inc.   All rights reserved.

1 Comment | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Stamer Speaks On HIPAA Developments On 9/14 At ABA Joint Tax/RPTE Fall Meeting In Boston

August 14, 2012

Cynthia Marcotte Stamer will discuss recent HIPAA and other medical privacy developments impacting group health plans at a joint “Employee Benefits Welfare Benefits Design, EEOC and FMLA Update X “ session scheduled from 9:30 a.m. to 11:00 a.m. on September 14, 2012 at the American Bar Association jointly hosted by the Subcommittees on Welfare Plan Design, EEOC, FMLA and Leaves Issues (TX) and Cafeteria Plans and Reimbursement Accounts and Subcommittee on Welfare Plans at the American Bar Association  Section of Taxation and Section of Real Property, Trust & Estate Law, Trust & Estate Division (RPTE) 2012 Joint Fall CLE Meeting In Boston.

Ms. Stamer will be among the a distinguished group of panelists scheduled to discuss regulatory and other developments under the Affordable Care Act and emerging issues related to stop-loss coverage, claims procedures, COBRA audits, DOL compliance initiatives, HIPAA/HITECH audits and enforcement (and regulations if released) and other concerns impacting health and welfare plan design and administration.

A noted Texas-based employee benefits and employment lawyer, policy consultant, author and speaker, Ms. Stamer has serves as the Scribe for the ABA JCEB Agency Meeting on the HIPAA Privacy Rules with the HHS Office of Civil Rights and has extensive experience on HIPAA and other health, financial, and other privacy and data security concerns as well as a broad range of other human resources, employee benefits and health care concerns.  

A Fellow in the American College of Employee Benefits Counsel, the American Bar Association and the State Bar of Texas, Past Chair of the RPTE Employee Benefits and Other Compensation Group and current co-Chair of its Welfare Benefits Committee, Ms. Stamer is nationally and internationally known for her innovative leadership and work with businesses, governments, and communities on health and other insurance and employee benefits, patient education and empowerment, wellness and disease management, and other programs, policies, and processes.  For more than 24 years, Ms. Stamer’s legal practice has focused on advising and representing employers, insurers, health care providers, community leaders and governments about health care and employee benefits policy and process improvement, quality, performance management, education, compliance, communications, risk management, reimbursement and finance, and other related matters.  In addition to her legal practice, Stamer also extensively consults and provides leadership to a broad range of clients, professional and civic organizations, and others on strategies for improving the health care system and the ability of health care providers, payers, employers, community organizations, government agencies to promote the ability of patients and their families to access cost-effective, quality, affordable health care and other resource needs.  She also has worked extensively with a broad range of business and government clients on health care, pension, social security, workforce, insurance and many other related policy matters.  

Author of the hundreds of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also regularly conducts training and speaks on these and other  management, compliance and public policy concerns.

Ms. Stamer also is active in the leadership of a broad range of other professional and civil organizations. For instance, Ms. Stamer presently serves as Executive Director of Project COPE, the Coalition on Patient Empowerment and the Coalition for Responsible Healthcare Policy; Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Committee and its current Welfare Benefit Plans Committee Co-Chair, a Substantive Groups & Committee Member and its representative to the ABA Joint Committee on Employee Benefits; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee, and outgoing Coordinator of the Gulf Coast TEGE Council TE Division.  She previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early retirement intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association; on numerous seminar faculties and in many other professional and civic leadership and volunteer roles..   

Ms. Stamer will speak along a distinguished group of governmental and private panelists.  Other panelists include:

  • Kevin Knopf, Attorney-Adviser, Office of Benefits Tax Counsel, Department of Treasury, Washington, DC;
  • Stephen B. Tackney, Deputy Associate Chief Counsel, Employee Benefits, Office of Division Counsel/Associate Chief Counsel, TE/GE, IRS, Washington, DC;
  • Russ Weinheimer, Senior Counsel, Office of the Chief Counsel, Tax Exempt and Government Entities, IRS, Washington, DC;
  • Amy Turner, Senior Advisor, Department of Labor, Employee Benefits Security Administration, Washington, DC;
  • Andy R. Anderson, Morgan Lewis, Chicago, IL; Chad R. DeGroot, Laner Muchin, Chicago, IL;
  • William M. Freedman, Dinsmore & Shohl LLP, Cincinnati, OH;
  • Bernard Kearse, Kearse Law Firm, Atlanta, GA;
  • Elizabeth Leight, Society of Professional Benefit Administrators, Chevy Chase, MD;
  • Gabriel Marinaro, Dykema, Bloomfield Hills, MI;
  • Linda Mendel, Vorys Sater Seymour & Pease LLP, Columbus, OH; Carrie A. Simons, Ropes & Gray, Boston, MA; Mark Stember, Kilpatrick Townsend & Stockton LLP, Washington, DC

To register or learn more about the Joint Fall CLE Meeting, see here.  For additional information about Ms. Stamer, see here  or contact Ms. Stamer directly via email here or (469) 767-8872.

 

Comments Off on Stamer Speaks On HIPAA Developments On 9/14 At ABA Joint Tax/RPTE Fall Meeting In Boston | Employers, ERISA, Fiduciary Responsibility, Health Plans, HIPAA | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

HIPAA & Texas Law Require HIPAA Training. Register Now For August 14 HIPAA Update Workshop!

August 8, 2012

 

Texas House Bill 300 Medical Records Privacy Act Amendments & HIPAA Regulations Require HIPAA Privacy Training!

Register Now!

Register Now For A Solutions Law Press 2012 Coping with Health Care Reform Series Workshop

HIPAA Update

August 14, 2012

12:30 P.M.-2:30 P.M. Eastern | 11:30 A.M.-1:30 P.M. Central | 10:30 A.M-12:30 P..M. Mountain | 9:30 A.M-11:30 A.M. Pacific

Texas Department Of Insurance Continuing Education Credit, HRCI and World At Work Education Credit Approved!

Expanded health care privacy mandates of the Texas Medical Records Privacy Act that take effect September 1, 2012 and HIPAA regulations require covered entities and their business associates conduct training and take other steps to protect the privacy and security of personal health information (“PHI”).

Complete HIPAA Training While You Catch Up On The Latest On HIPAA & Texas Medical Records Privacy Rules & Get Helpful Compliance And Risk Management Tips!

Health care providers, health plans, health care clearinghouses face new imperatives to strengthen their HIPAA and other procedures for handling protected health information and other sensitive information to manage expanding risks and responsibilities arising from evolving rules, expanding enforcement and oversight, and rising penalties and other liabilities. 

Expanded health care privacy mandates of the Texas Medical Records Privacy Act that take effect September 1, 2012 and HIPAA regulations require covered entities and their business associates conduct training and take other steps to protect the privacy and security of personal health information (PHI) and certain other information.

The $4.3 million HIPAA Civil Monetary Penalty and growing list of $1 million plus resolution payments announced by the Office of Civil Rights coupled with its commitment to investigate all large breaches reported under the HITECH Act Breach Notification Rule and other stepped up enforcement and newly initiated audit activities send a clear signal that HIPAA-covered entities and their business associates face significant exposures for failing to appropriately manage their HIPAA and other responsibilities when handling protected health information.  Meanwhile, Texas House Bill 300 has raised maximum state civil penalties for unlawful disclosures of Protected Health Information under the Texas Medical Records Privacy Act to from $5,000 to $1.5 million per year.  Meanwhile HITECH Act amendments to HIPAA require covered entities provide notification of certain breaches while Texas House Bill 300 adds its own specific requirements to provide notice of certain breaches of computerized data containing sensitive personal information.

With Texas House Bill 300 expanding covered entities responsibilities and liabilities and OCR issuing new regulations and other guidance to implement amendments to the HIPAA Privacy & Security Standards and implement and enforce the HITECH Act Breach Notification Rule, health care providers, health plans and insurers, their brokers, third party administrators, and other covered entities, as well as their business associates and employer and union clients must review and tighten their policies, practices, business associate and other contracts, and enforcement to manage HIPAA and other compliance and manage risks arising from the access, collection, use, protection and disclosure of PHI to meet expanding mandates and to guard against growing liability exposures under HIPAA and other federal and state laws. 

Solutions Law Press, Inc. invites you to catch up on the latest on these and other key HIPAA requirements and enforcement and learn tips for managing risks and liabilities by participating in the “HIPAA Update Workshop” on Tuesday, August 14, 2012.   Participants may choose to attend the live briefing in Addison, Texas or participate via WebEx for a registration fee of $125.00.  Texas Department of Insurance Continuing Education Credit and other professional certification credit may be requested by qualifying participant for an added charge.

Learn Latest On HIPAA & Texas House Bill 300 Privacy, Security & Breach Notification Guidance & Enforcement

The HIPAA Update Workshop will brief participants on the latest HIPAA Privacy, Security and Breach Notification rules and guidance and share compliance and risk management lessons emerging from recent OCR enforcement and audit activities and other selected federal and state litigation and enforcement actions impacting the handling of protected health information.  Among other things, the workshop will cover:

√ Latest HIPAA Privacy, Security & Breach Notification Rules, Guidance & Enforcement

√Latest on Texas House Bill Amendments To Texas Medical Records Privacy Law Effective September 1, 2012

 √Post HITECH Act Heightened Liability Risks:  Audits, Civil Penalties, Criminal Penalties & State Lawsuits

√ Expansion of HIPAA Responsibilities & Liabilities To Business Associates & What Covered Entities & Business Associates Should Do In Response

√ HIPAA Data Breach Notification Requirements & Practical Challenges & Strategies For Managing These Responsibilities

√ HIPAA Compliance & Risk Management Coordination With Other Federal & State Medical Privacy, Financial Information, Identity Theft & Date Security Responsibilities

√ Breach Preparedness & Response Planning

√ Practical Steps & Best Practices For Compliance & Risk Management 

√ Practical Strategies For Monitoring & Responding To New Requirements & Changing Rules

√ Participant Questions

√ More

About The Speaker

A Fellow in the American College of Employee Benefits Counsel, recognized in International Who’s Who, North Texas Health Care Compliance Professionals Association Vice-President and Board Certified in Labor & Employment Law, attorney  Cynthia Marcotte Stamer has 25 years experience advising and representing private and public health care providers, employers, employer and union plan sponsors, employee benefit plans, associations, their fiduciaries, administrators, and vendors, group health, Medicare and Medicaid Advantage, and other insurers, governmental leaders and others on privacy and data security, health care, health and other employee benefit. employment, insurance and related matters. A well-known and prolific author and popular speaker, Ms. Stamer has served as the scrivener for the ABA JCEB Agency Meetings with the Office of Civil Rights on HIPAA Privacy for the past two years.  She presently serves as Co-Chair of the ABA RPTE Section Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Representative, an Editorial Advisory Board Member of the Institute of Human Resources (IHR/HR.com) and Employee Benefit News, and various other publications.  A primary drafter of the Bolivian Social Security privatization law with extensive domestic and international regulatory and public policy experience, Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on HIPAA and other privacy and data security risks and requirements as well as a broad range of other health,  employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, Federal Trade Commission, HUD and Justice, as well as a state legislatures attorneys general, insurance, labor, worker’s compensation, and other agencies and regulators. A prolific author and popular speaker, Ms. Stamer regularly authors materials and conducts workshops and professional, management and other training on HIPAA and other privacy, health care, employee benefits, human resources, insurance and related topics for the ABA, Aspen Publishers, the Bureau of National Affairs (BNA), SHRM, World At Work, Government Institutes, Inc., the Society of Professional Benefits Administrators and many other organizations. Her insights on privacy and other matters are quoted in Modern Healthcare, HealthLeaders, Benefits, Caring for the Elderly, The Wall Street Journal and many other publications.  She also regularly serves on the faculty and planning committees of a multitude of symposium and other educational programs.  For more details about Ms. Stamer’s services, experience, presentations, publications, and other credentials or to inquire about arranging counseling, training or presentations or other services by Ms. Stamer, see http://www.CynthiaStamer.com.

Registration

 Registration Fee per course is $125.00 per person (plus an additional $10 service fee for each individual seeking Texas Department of Insurance Continuing Education Credit).  Registration Fee Discounts available for groups of three or more.  Payment required via website registration required 48 hours in advance of the program to complete registration.  Payment only accepted via website PayPal.  No checks or cash accepted.  Persons not registered at least 48 hours in advance will only participate subject to system and space availability.

 *Tex. Dept. of Insurance, HRICI, WorldAtWork, CLE & Other Continuing Education Credit

These programs are approved to be offered for general certification credit by the Texas Department of Insurance, HRCI and WorldAtWork education credit  for the time period offered subject to fulfillment all applicable accrediting agency requirements, completion of required procedures and payment of the additional service processing fee of $10.00.  An application for State Bar of Texas continuing education legal education credit is pending. The Texas Department of Insurance has approved the HIPAA Update program is approved for 1.5 hours of General Credit and .5 Hours of Ethics Credit.  The applicable credentialing agency retain the final authority to determine whether an individual qualifies to receive requested continuing education credit.  Neither Solutions Law Press, Inc., the speaker or any of their related parties guarantees the approval of credit for any individual or has any liability for any denial of credit.  Special fees or other conditions may apply.  CANCELLATION   & REFUND POLICY:  In order to receive credit, cancellation (either fax or mail) must be received at least 48 hours in advance of the meeting and are subject to a $10.00 refund processing fee.  Refunds will be made within 60 days of receipt of written cancellation notice.

Check Out Our Health Plan-U & Other Workshops Including:

HIPAA Update*

August 14, 2012

11:30 A.M.-1:00 P.M. Central 

Health Plan Communications Update: SBCs, SPDs & Beyond*

August 28, 2012

11:30 A.M.-1:00 P.M.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives.  Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs.  For additional information about upcoming programs, to inquire about becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com   These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship,  to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com.  If you would prefer not to receive communications from Solutions Law Press, Inc. send an e-mail with “Solutions Law Press Unsubscribe” in the Subject to support@solutionslawyer.net.  CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request.

©2012 Solutions Law Press, Inc. All Rights Reserved.

Comments Off on HIPAA & Texas Law Require HIPAA Training. Register Now For August 14 HIPAA Update Workshop! | Uncategorized | Tagged: , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach

June 26, 2012

The Alaska State Medicaid Agency, the Alaska Department of Health and Social Services (DHSS) will pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Alaska DHSS also has agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries. 

The first HIPAA Resolution Agreement that the HHS Office for Civil Rights (OCR) has reached a state agency, the Resolution Agreement  second announced Resolution Agreement stemming from a unsecured protected health information breach report filed in response to the breach notification rules of the Health Information Technology for Economic and Clinical Health (HITECH) Act.  Earlier this year, OCR announced its first Resolution Agreement involving a health plan resulted from a breach notification report it had filed under the HITECH Act.  See $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report.

OCR opened the investigation leading to the Resolution Agreement after Alaska DHSS filed a breach report that indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee.  Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI.  Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.  Inadequacies by covered entities in safeguarding protected health information and laptops and other devices containing ePHI is a common compliance concern according to OCR statistics.

In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires Alaska DHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule.  A monitor will report back to OCR regularly on the state’s ongoing compliance efforts. 

OCR’s announcement highlights the need for covered entities not only to take proper steps to establish and administer appropriate policies and safeguards to protect protected health information and EHI, but also to prepare, update as needed and be prepared to produce documentation showing their oganizations actions to evaluate, monitor and maintain appropriate safeguards of ePHI and the operating systems and devices that contain this information. 

“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” said OCR Director Leon Rodriguez.  “This is OCR’s first HIPAA enforcement action against a state agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”

The HHS Resolution Agreement can be viewed here.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The Alaska Medicaid Resolution Agreement is the latest in a growing list of Resolutions Agreements highlighting the mounting exposures that health care providers, health plans, health care clearinghousesand their business associates face if required to file a large breach notification or otherwise charged with failing to appropriately manage their HIPAA responsibilities. See Arizona Physician Group Pays $100K To Settle HIPAA Charges; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website.   As OCR leaders have indicated that OCR investigates all large breach notification filings made under the HITECH Act Breach Notification Rules and with more than 450 large breach notifications reported on its website, additional Resolution Agreements are expected in coming months even as covered entities and their business associates are awaiting the impending  issuance of updated HIPAA regulations.

In light of these and other developments and risks, covered entities and their business associates should move to audit and strengthen their HIPAA compliance and documentaiton and adopt  other suitable safeguards to minimize HIPAA exposures. 

In the face of rising enforcement and fines, OCR’s initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks. 

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable. 

For more information about the PCS Resolution Agreement and HIPAA compliance and risk management tips, see here.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

For the past two years, Ms. Stamer has served as the  scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR.   Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2012 Cynthia Marcotte Stamer, P.C.  Non-exclusive right to republish granted to Solutions Law Press, Inc.   All rights reserved.

Comments Off on OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Making Wellness Work On A Shoestring Budget

May 28, 2012
With tight budgets preventing many businesses from investing in wellness consulting resources, a tight budget doesn’t mean your company, church, or other group can’t have a thriving wellness program.  Wellness is a culture.   While the resources and advice of consultants and bells and whistles can be helpful sometimes, the inability to afford them doesn’t mean that your organization or group can’t have a healthy and effective wellness program. 
 
The key to promoting wellness in your workplace, organization or community is to promote a culture of healthy eating, movement and lifestyles.  Establish the culture by leading the way.  Make healthy food choices available at meetings.  Require or urge your leadership to model good eating behavior.  Have a healthy pot luck and challenge employees to bring and share their tastiest, healthy dish.   
 
Encourage leaders and others to incorporate movement into the day.  Walking meetings and other inexpensive activities can help promote health with very little cost.  Encourage employees to walk in walk-a-thons, participate in running groups, walk or skip to lunch, take the stairs,  participate in sports leagues or other similar activities. 
 
Don’t overlook the wealth of available free resources.  Project COPE”s Play For Life Program relies upon a host of free often government provided resources.   Many great wellness tools are available from NIH and other government sources at little or no cost including the newly released NIH and the Weight of the Nation resources just made available by NIH here.
 
Project COPE: Coalition On Patient Empowerment & Coalition For Responsible Health Care Quality

Project COPE: Coalition on Patient Empowerment & the Coalition for Responsible Health Care Quality  are coalitions of individuals and organizations that share the belief that every American and American organization has a stake, and something to contribute to our ability to find and implement the best options for ensuring that the U.S. health care system provides quality, affordable health care.

Health care impacts every individual and every organization in America.  Consequently, every American citizen and organization including but not limited to health care providers, employers, insurer, and community organizations should take part.    The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch.  Americans can best improve health care by not waiting for someone else to step up or speak up. 

Project COPE urges and invites each individual and organization speak up to help communicate and act to make health care work for themselves, their families and others when you can and share your input to help preserve and continue to develop real meaningful improvements to our health care system by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. 

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here . 

Wellness is a culture.   While the resources and advice of consultants and bells and whistles can be helpful sometimes, the inability to afford them doesn’t mean that your organization or group can’t have a healthy and effective wellness program. 
 
The key to promoting wellness in your workplace, organization or community is to promote a culture of healthy eating, movement and lifestyles.  Establish the culture by leading the way.  Make healthy food choices available at meetings.  Require or encourage your leadership to model good eating behavior.  Have a healthy pot luck and challenge employees to bring and share their tastiest, healthy dish.   
 
Encourage leaders and employees and others to incorporate movement into the day.  Walking meetings and other inexpensive activities can help promote health with very little expense.  Encourage employees to walk in walk-a-thons, participate in running groups, participate in sports leagues or other similar activities.
 
Don’t overlook the wealth of available free resources.  Project COPE”s Play For Life Program relies upon a host of free often government provided resources.   Many great wellness tools are available from NIH and other government sources at little or no cost including the newly released NIH and the Weight of the Nation resources just made available by NIH here.
 
The key to wellness is getting started and keeping going.   Making healthy living part of your culture can pay big benefits in health and absentee savings, increased productivity and workforce retention.  What are you waiting for?  Get moving!
Other Helpful Resources & Other Information
 
We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available here . 

For Help or More Information

If you need help reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 24 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters. 

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns. 

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at ww.solutionslawpress.com

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2012 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.

Comments Off on Making Wellness Work On A Shoestring Budget | Claims Administration, Employee Benefits, Employers, ERISA, Health Plans, Mental Health, Mental Health Parity, Retirement Plans, Tax | Tagged: , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Review & Update Health Plan Mental Health Coverage As DOL Supplements Guidance On Health Plan Mental Health Parity Rules

May 23, 2012

Group health plans and health insurers subject to the mental health parity requirements of the Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) have extra guidance about the effect of these requirements on utilization management and copayment requirements.  As the Labor Department and other federal agencies celebrate Mental Health Awareness Month, plan sponsors, administrators and fiduciaries should review and update their plans to comply with the current requirements and tighten administration and other documentation to position decisions for defensibility against growing scrutiny.

In conjunction with its marking of Mental Health Awareness month in May, the Department of Labor’s Employee Benefits Security Administration (EBSA) recently updated its guidance and resources about the MHPAEA.  The updated resources include:

  • New Mental Health Parity webpage, available here; and
  • Understanding (and Common Misunderstandings Related to) Implementation of the Mental Health Parity and Addiction Equity Act of 2008, available here.

This new guidance supplements a growing list of guidance concerning the interpretation and enforcement of the MHPAEA by the U.S. Departments of Health and Human Services (HHS), Labor and the Treasury (the Departments).  On November 17, 2011, the Departments jointly published more FAQs that share insights on how the MHPAEA requirements impact certain common copayments and utilization review arrangements historically used by plans and insurers.  The new FAQ guidance here provides more clarification about the meaning of the interim final rules implementing MHPAEA the Departments jointly issued on February 2, 2010, and earlier FAQ guidance published on June 30, 2010 and December 22, 2010 as applied to these practices.

For group health insurers and group health plans subject to its provisions, MHPAEA generally requires that insurer or plan:

  • Cannot impose financial requirements and treatment limitations on mental health and substance use disorder benefits that are more restrictive than the predominant financial requirements and treatment limitations that apply to substantially all medical and surgical benefits; and
  • Cannot impose separate financial requirements or treatment limitations that are applicable only to mental health or substance use disorder benefits.

Insurers, plan sponsors, fiduciaries and administrators also should consider the potential implications of various other federal requirements on the design and administration of mental health and substance abuse coverage and benefits under their programs.   For example, the express reference to mental health and substance abuse benefits as included within the definition of “essential benefits” for purposes of the Affordable Care Act requires additional consideration of the effect of the Affordable Care Act’s annual and lifetime limit and other mandates relating to essential benefit coverage be evaluated and addressed.  In addition, specific attention should be devoted to the potential effects of the Affordable Care Act’s independent review and other rules concerning the processing and payment of health benefit claims by non-grandfathered health plans.

Along with considering the potential implications of these emerging requirements, health insurers, group health plans and those involved in their design and administration also should verify that their eligibility and other program terms or practices do not inappropriately violate the nondiscrimination rules of laws such as the Americans with Disabilities Act, the Health Insurance Portability & Accountability Act, the Genetic Information Nondiscrimination Act or other laws and that their plan and those involved in its administration are properly safeguarding the confidentiality of sensitive information about mental health , substance abuse or other health information about covered persons or their family.   Learn more here.

For Help or More Information

If you need help reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 24 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters. 

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns. 

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at ww.solutionslawpress.com

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2012 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.

Comments Off on Review & Update Health Plan Mental Health Coverage As DOL Supplements Guidance On Health Plan Mental Health Parity Rules | Claims Administration, Employee Benefits, Employers, ERISA, Health Plans, Mental Health, Mental Health Parity, Retirement Plans, Tax | Tagged: , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Latest $100,000 HIPAA Resolution Agreement Nails Physician Group,

April 17, 2012

The $100,000 settlement with an Arizona-based physician group announced today by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) demonstrates the need for all health care providers, health plans, health care clearinghouses (covered entities) and their business associates to maintain appropriate HIPAA compliance and risk management procedures and documentation.

Arizona-based Phoenix Cardiac Surgery, P.C. (PCS) will pay the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients to settle OCR charges PCS violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Health care providers and other HIPAA-covered entities should heed the PSC and other recent settlements as the latest signal of the risks that health care providers and other covered entities run by failing to adequately implement and administer appropriate HIPAA compliance practices.

The PCS settlement follows an extensive OCR investigation of a report that PCS posted clinical and surgical appointments for its patients on a publically accessible Internet-based calendar. Among other things, the Resolution Agreement documenting the PCS settlement states that OCR’s investigation found that the persistent failure by PCS to adopt HIPAA required policies and safeguards, maintain required business associate agreements, and conduct necessary workforce training resulted in the prohibited posting of more than 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar and business associates improperly receiving and maintaining PHI and ePHI without the protection of required business associate agreements.

Under the PCS HHS Resolution Agreement available here, PCS will pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules. Like the $1,500,000 Blue Cross Blue Shield of Tennessee (BCBST) Resolution Agreement announced last month, the PCS shows OCR’s readiness to sanction health care providers and other covered entities of all sizes for violations of HIPAA.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

Like the BCBST Resolution Agreement and other previously announced OCR Resolution Agreements, the PCS provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.

In the face of rising enforcement and fines, OCR’s initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.

In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration OCR’s investigation and enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

For more information about the PCS Resolution Agreement and HIPAA compliance and risk management tips, see here.

For Representation, Training & Other Resources

If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Scheduled to serve as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR, Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:

DC Court Enjoins Implementation of NLRB Poster Rule

Orthofix Medical Device Exec Awaits Sentencing After Pleading Guilty To Violating Anti-Kickback Law

Health Care Providers Also Should Guard Against Rising Exposures To State Health Care Fraud & Other Enforcement Risks

Director of Texas Office of e-Health Coodination To Discuss Texas HIE Strategy in 3/14 HHS Sponsored Teleconference

Halfway House Owner Gets 24 Months Imprisonment For Health Care Fraud & Kickback Conviction

Health Plans Should Act Quickly To Prepare Affordable Care Act Required Summary of Benefits & Communications & Update Other Health Plan Communications

NLRB Report Shows Rise In Unfair Labor Practice Complaints & Formal Proceedings

Sullivan University System to Pay $483,000 in Back Wages Overtime Violations Stemming From Worker Misclassifications

New DOL Final Rules Tighten Requirements For Employers To Hire Alien Workers Using H-2B Visas

OSHA $1Million Award Against AirTran Airways Highlights Retaliation Risks

HHS Chides Trustmark Life Insurance Company For “Excessive” Health Premium Increases After Affordable Care Act Rate Audit

Labor Department Final Rule Defines Recreation Vehicle For Longshore & Harbor Workers’ Compensation Act

Portion of Health Care Costs Paid By Government Programs Rose As Employer Provided & Other Private Health Care Coverage Declined In 2010

Help Careflite Celebrate New Facility 1/11

Careflite Dedicates New Facility January 11, 2012

Manufacturer’s Excessive I-9 Documentation Triggers Discrimination Liability

If you need help investigating or responding to a known or suspected compliance, litigation or enforcement or other risk management concern, assistance with reviewing, updating, administering or defending a current or proposed employment, employee benefit, compensation or other management practice, wish to inquire about federal or state regulatory compliance audits, risk management or training, or need legal representation on other matters please contact Ms Stamer here or at (469) 767-8872.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here. If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2012 Cynthia Marcotte Stamer, P.C.  Non-exclusive right to republish granted to Solutions Law Press, Inc.   All rights reserved.

Comments Off on Latest $100,000 HIPAA Resolution Agreement Nails Physician Group, | Employers, Health Plans, HIPAA, Human Resources, Insurance | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

Health Plan BCBST To Pay $1.5 Million In 1st OCR Enforcement Action Prompted By HITECH Breach Report

March 13, 2012

Resolution Agreement Also 1st Announced With Health Plan

Health plans and other covered entities beware and prepare!  Health plans and other covered entities that report large breaches of unsecured protected health information to the Department of Health & Human Services (HHS) Office of Civil Rights and face potential civil monetary penalties (CMPs) for violating the Privacy & Security Rules of the Health Insurance Portability & Accountability Act of 1996 (HIPAA). 

The HIPAA investigation and exposures to CMPs likely to result following the report of a large breach of unsecured protected health information is demonstrated by a new Resolution Agreement announced March 13, 2012 by OCR.

 Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 and to take certain other actions specified in a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.  The BCBST Resolution Agreement is particularly significant, both as:

  • The first reported enforcement action directly resulting from the filing by a covered entity of a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule; and
  • The first reported resolution agreement reached with a covered entity that is a health plan.

These notable enforcement firsts prove both the importance  the HITECH Breach Notification Rule’s significance as an OCR HIPAA enforcement tool, and the readiness of OCR to sanction health plans that breach HIPAA’s Privacy or Security Rules.

The OCR investigation that lead to the BCBST settlement began in response to the submission by BCBST of a notice required under the Breach Notification Rule of the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee, which contained the protected health information (PHI) of over 1 million individuals.  Read more details here.

The Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media as well as an annual consolidated report of smaller breeches to HHS.[1] 

To resolve being officially sanctioned for HIPAA violations stemming from these findings under the strengthened enforcement rules and sanctions enacted as part of the HITECH Act, BCBST has agreed to pay $1,500,000 and adopt other corrective actions detailed in a corrective action plan.

Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities

The BCBST Resolution Agreements, like the 1st-ever $4.3 million HIPAA CMP that OCR imposed against Cignet Health of Prince George’s County, Md. (Cignet) in 2011 and a series of high dollar Resolution Agreements OCR has announced against various health care providers over the past few years highlight the significance of the HITECH Act amendments to HIPAA’s enforcement and CMP rules, as well as use of  its Breach Notification Rule as a tool in OCR’s investigation and enforcement efforts.

“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.” 

BCBST’s breach notification report clearly prompted the investigation that lead to the Resolution Agreement.  The opening of the investigation in response to the BCBST Breach Notification report reflects the need for covered entities to be prepared to respond to an investigation when these reports are made.  OCR officials previously have stated that it is the practice of OCR to conduct an investigation into all breaches of the protected health information of 500 individuals or more reported to it under the Breach Notification Rule. 

The BCBST Resolution Agreement provides yet another reminder to covered entities and their business associates of the need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On WebsiteCovered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.  For more tips, see here.

[1] The Breach Notification Rule also requires that covered entities report smaller breaches annually to OCR as part of a consolidated disclosure.

For Help or More Information

If you need help reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 24 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters. 

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns. 

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at ww.solutionslawpress.com

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2011 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.

Comments Off on Health Plan BCBST To Pay $1.5 Million In 1st OCR Enforcement Action Prompted By HITECH Breach Report | Claims Administration, Employee Benefits, Employers, ERISA, Health Plans, Mental Health, Mental Health Parity, Retirement Plans, Tax | Tagged: , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Portion of Health Care Costs Paid By Government Programs Rose As Employer Provided & Other Private Health Care Coverage Declined In 2010

January 9, 2012
Declining enrollment in private insurance resulted in continuing growth in government financing of health care expenditures in 2010 according to the Annual Report of National Health Expenditures (Report).  The Report notes that since 2007, the economic recession and legislative changes led to a noticeable change in the shares of health care spending financed by businesses, households, and governments.
 
The federal government financed 29 percent of the nation’s health care spending in 2010, an increase of six percentage points from its share in 2007 of 23 percent, and reached $742.7 billion.  Part of that increase came from enhanced Federal matching funds for State Medicaid programs under the American Recovery & Reinvestment Act which expired in 2011.   
 
U.S. health care spending grew 3.9 percent in 2010 to $2.6 trillion or $8,402 per person according to the Report.   Review the details of the Report here.

National Health Expenditures 2010 Highlights

U.S. health care spending grew 3.9 percent in 2010.  Coupled with record slow growth of 3.8 percent in 2009; the 2009-2010 represents the two slowest rates of growth in the fifty-one year history of the National Health Expenditure Accounts.  The Report reflects the following breakdown of these expenditures;

  • Hospital Care: Hospital spending increased 4.9 percent to $814.0 billion in 2010 compared to 6.4-percent growth in 2009. Average annual growth in hospital spending between 2007 and 2010 was 5.5 percent. CMS reports this increase was slower than the trend between 2003 and 2006, when spending increased an average of 7.4 percent per year.  Growth in private health insurance spending for hospital services, which in 2010 accounted for 35 percent of all hospital care, slowed considerably in 2010.  The Report states that these trends occurred at the same time median inpatient hospital admissions declined and emergency department and outpatient hospital visits grew more slowly than in 2009.
  • Physician and Clinical Services: Spending on physician and clinical services increased 2.5 percent in 2010 to $515.5 billion, a deceleration from 3.3-percent growth in 2009. The 2010 deceleration reflects a decline in utilization, driven by a drop in total physician visits between 2009 and 2010 and a less severe flu season than in 2009.
  • Other Professional Services: Spending for other professional services, which includes providers of services such as physical therapy, chiropractic medicine, and mental health, decelerated slightly in 2010, increasing 3.6 percent to $68.4 billion after growth of 3.8 percent in 2009.
  • Dental Services: Spending for dental services increased 2.3 percent in 2010 to $104.8 billion compared to growth of only 0.1 percent in 2009. Out-of-pocket spending for dental services (which accounts for over 40 percent of dental spending) increased 0.5 percent in 2010 following a decline of 5.2 percent in 2009.
  • Other Health, Residential, and Personal Care Services: Spending for other health, residential, and personal care services grew 5.3 percent in 2010 to $128.5 billion, a deceleration from growth of 7.7 percent in 2009. This category includes expenditures for medical services delivered in non-traditional settings (such as schools or community centers), ambulance providers, and residential mental health and substance abuse facilities.
  • Home Health Care: Spending growth for freestanding home health care services slowed in 2010, increasing 6.2 percent to $70.2 billion following growth of 7.5 percent in 2009, as Medicare and Medicaid spending growth slowed in 2010.
  • Nursing Care Facilities and Continuing Care Retirement Communities: Spending for freestanding nursing care facilities and continuing care retirement communities increased 3.2 percent in 2010 to $143.1 billion, a deceleration from growth of 4.5 percent in 2009, driven by slower growth in Medicare and Medicaid spending.
  • Prescription Drugs: Retail prescription drug spending grew only 1.2 percent to $259.1 billion in 2010, a substantial slowdown from 5.1-percent growth in 2009. The slowdown was driven by slower growth in the volume of drugs consumed, a continued increase in the use of generic medications, loss of patent protection for certain brand name drugs, fewer new drug introductions, and a substantial increase in Medicaid prescription drug rebates.
  • Durable Medical Equipment: Spending for durable medical equipment, which includes items such as eyeglasses, contacts and hearing aids, increased 7.3 percent to $37.7 billion in 2010 after increasing 0.8 percent in 2009.
  • Other Non-durable Medical Products: Spending for other non-durable medical products, such as over-the-counter medicines, reached $44.8 billion, an increase of 2.6 percent in 2010, the same rate of growth as in 2009.

 Health Spending by Major Sources of Funds

The Report indicates that the portion of health care expenditures financed by private health insurance continued to decline as private health plan enrollment declined.  As a result, the proportion of health care expenditures paid by government programs continued to rise.  The federal government financed 29 percent of total health spending in 2010, a substantial increase from its share of 23 percent in 2007. Meanwhile, the shares of the total health care bill financed by state and local governments (16 percent), private businesses (21 percent), and households (28 percent) declined during the same time period.  Specifically, the Report indicates the following:

  • Medicare: Medicare spending grew 5.0 percent in 2010 to $524.6 billion, a deceleration from growth of 7.0 percent in 2009. Spending for fee-for-service (FFS) Medicare grew 5.0 percent in 2010 following growth of 4.5 percent in 2009. Medicare Advantage (MA) spending increased 4.7 percent in 2010, a steep deceleration from 15.6-percent growth in 2009 that resulted from an adjustment to payment rates in 2010.
  • Medicaid: Total Medicaid spending grew 7.2 percent in 2010 to $401.4 billion, a deceleration from 8.9-percent growth in 2009, driven primarily by slower growth in enrollment. Federal Medicaid expenditures increased 8.9 percent, while state Medicaid expenditures grew 3.9 percent. This difference in growth was due to approximately $41 billion in enhanced federal aid to states—a result of increased Federal Medical Assistance Percentages (FMAP) mandated by the American Recovery and Reinvestment Act of 2009 (ARRA).
  • Private Health Insurance: Growth in total spending for private health insurance premiums slowed in 2010 to 2.4 percent from 2.6 percent in 2009, continuing a deceleration that began in 2003. Growth in aggregate benefit payments also slowed, from 3.7 percent in 2009 to 1.6 percent in 2010. The slowdown reflects a decline in private health insurance enrollment, increases in cost sharing, and a shift by some consumers to plans with lower premiums. However, for the first time in seven years, growth in total premiums exceeded growth in total benefits; as a result, the private health insurance net cost ratio increased from 11.4 percent in 2009 to 12.1 percent in 2010.
  • Out-of-Pocket: Out-of-pocket spending grew 1.8 percent in 2010, an acceleration from growth of 0.2 percent in 2009. Faster growth in 2010 partially reflects higher cost-sharing requirements for some employers, consumers’ switching to plans with lower premiums and higher deductibles and/or copayments, and the continued loss of health insurance coverage.

The Report found household health care spending equaled $725.5 billion in 2010 and represented 28 percent of total health spending, slightly lower than its 29 percent share in 2007.  Growth in total private health insurance premiums slowed in 2010 to 2.4 percent from 2.6 percent in 2009, continuing a slowdown that began in 2003.  Despite this deceleration, for the first time in seven years, the growth in premiums exceeded the growth in insurer spending on health care benefits, with the net cost of insurance increasing by 8.4 percent or $11.3 billion in 2010. Out-of-pocket spending by consumers increased 1.8 percent in 2010, accelerating from 0.2-percent growth in 2009. 

The state and local government share of total health spending declined from 18 percent in 2007 to 16 percent in 2010 and totaled $421.1 billion, in part due to the temporary assistance in the Recovery Act.

 Project COPE: Coalition On Patient Empowerment & Coalition For Responsible Health Care Quality

Project COPE: Coalition on Patient Empowerment & the Coalition for Responsible Health Care Quality  are coalitions of individuals and organizations that share the belief that every American and American organization has a stake, and something to contribute to our ability to find and implement the best options for ensuring that the U.S. health care system provides quality, affordable health care.

Health care impacts every individual and every organization in America.  Consequently, every American citizen and organization including but not limited to health care providers, employers, insurer, and community organizations should take part.    The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch.  Americans can best improve health care by not waiting for someone else to step up or speak up. 

Project COPE urges and invites each individual and organization speak up to help communicate and act to make health care work for themselves, their families and others when you can and share your input to help preserve and continue to develop real meaningful improvements to our health care system by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. 

For Help or More Information

If you need help reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 24 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters. 

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns. 

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at ww.solutionslawpress.com

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2011 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.

Comments Off on Portion of Health Care Costs Paid By Government Programs Rose As Employer Provided & Other Private Health Care Coverage Declined In 2010 | Claims Administration, Employee Benefits, Employers, ERISA, Health Plans, Mental Health, Mental Health Parity, Retirement Plans, Tax | Tagged: , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Senator Tells IRS To Fix Proposed Health Care Exchange Premium Tax Credit Regulations

December 16, 2011

U.S. Senator Orrin Hatch (R-Utah), Ranking Member of the Senate Finance Committee, says the premium subsidy provisions of the Patient Protection & Affordable Care act (Affordable Care Act) does not authorize the Internal Revenue Service (IRS) to allow individuals purchasing coverage through a federal health insurance exchange to receive the tax credits and subsidies authorized under new Internal Revenue Code § 36B to offset the cost of being mandated to buy health insurance created under Affordable Care Act Section 1311.  

As created under the Affordable Care Act, Internal Revenue Code (Code) § 36B grates a refundable tax credit for certain individuals purchasing qualifying health insurance coverage from a qualified health plan.  According to Senator Hatch, IRS proposed regulations here to implement Code § 36B would violate its provisions by allowing individuals that buy coverage through federal exchanges to claim premium tax credits because the express language of the statute only calls for amounts paid for coverage from “State” exchanges to count when calculating the amount of the credit.  Read more details here.

For Help or More Information

If you need help reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 24 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters. 

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns. 

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at ww.solutionslawpress.com

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2011 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.

Comments Off on Senator Tells IRS To Fix Proposed Health Care Exchange Premium Tax Credit Regulations | Claims Administration, Employee Benefits, Employers, ERISA, Health Plans, Mental Health, Mental Health Parity, Retirement Plans, Tax | Tagged: , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

New Guidance On Fiduciary Duties In Handling ACA Group Health Plan Premium Rebates Highlight Advisability Of Tightening Funding Terms & Fund Handling Practices To Manage Fiduciary Risks

December 13, 2011

Group health plan sponsors and fiduciaries need to exercise care to properly handle any premium rebates, if any, received by from insurers to comply with the medical loss ratio rules enacted as part of the Patient Protection and Affordable Care Act (Affordable Care Act) to avoid violating the plan assets and other fiduciary responsibility rules of the Employee Retirement Income Security Act of 1974 (ERISA), according to Technical Release No. 2011-04, Technical Release on Fiduciary Requirements for Handling Medical Loss Ratio (MLR) Rebates (“Technical Release”) published December 2, 2011.

As amended by the Affordable Care, Section 2718 of the Public Health Service Act (PHSA) requires that health insurance issuers:

  • Publicly report on major categories of spending of policyholder premium dollars, such as clinical services provided to enrollees and activities that will improve health care quality;
  • Establishes medical loss ratio (MLR) standards for issuers; and
  • Requires issuers to provide rebates to enrollees when their spending for the benefit of policyholders on reimbursement for clinical services and health care quality improving activities, in relation to the premiums charged (as adjusted for taxes), is less than the MLR standards.

Employers or other sponsors that are group policyholders on insurance contracts covered by the MLR rules are likely to receive any rebates due because Department of Health and Human Services (HHS) final regulations implementing these MLR requirements published December 7, 2011 require issuers to pay any MLR rebates “to the policyholder.”  

In anticipation insurers’ payment of these rebates, the Employee Benefit Security Administration (EBSA) is cautioning employers and other ERISA-covered group health plan sponsors and plan fiduciaries that premium rebates received from an insurer pursuant to these HHS MLB regulations may be plan assets required to be handled in accordance with ERISA’s plan assets and other fiduciary responsibility rules.

In the December 2, 2011 Technical Release, EBSA reminds plan sponsors and fiduciaries that premium rebates distributed pursuant to the Affordable Care Act’s MLR standards with respect to a group health plan are likely to be plan assets protected by ERISA’s fiduciary responsibility rules.  Accordingly, the Technical Release cautions that plan sponsors or other parties receiving or exercising discretion over the rebated amounts that are ERISA plan assets generally should see that rebated amounts are handled in accordance with the fiduciary responsibility and trust requirements generally applicable to ERISA plan assets.

Determination whether the premium rebate is a plan asset generally requires a careful evaluation of whether the plan has a beneficial interest in the rebate and certain other factors.  According to the Technical Release, a distribution such as the rebate to a group health plan will be a plan asset if the plan has a beneficial interest in the distribution under ordinary notions of property rights.  While the identity of the policyholder – the employer or other plan sponsor versus a trust or plan – is one important consideration, the Technical Release warns that this is not the only factor.

The Technical Release says the fact that the employer is the policyholder or the owner of the policy would not, by itself, indicate that the employer may retain the distributions. Rather, determining who is entitled to the distribution requires careful analysis of a broad range of factors including:

  • The terms of the governing plan documents;
  • The funding sources of the policy;
  • The parties’ understandings and representations; and
  • Other relevant facts and circumstances.

If the rebate is an ERISA plan asset, employers or others receiving a premium rebate payment and others with discretion over the use and handling of the rebate should take steps to ensure that they can demonstrate the rebate is handled and expended in accordance with ERISA’s fiduciary responsibility requirements. Among other things, this means that rebated amounts should be:

  • Held in trust unless the plan fiduciaries verify that an exception applies;
  • Used only for the exclusive purpose of providing benefits to participants in the plan and their beneficiaries and defraying reasonable expenses of administering the plan;
  • Handled in accordance with the fiduciary responsibility provisions of ERISA section 404 and the prohibited transaction provisions of ERISA section 406;
  • Held in trust in accordance with ERISA section 403; and
  • Not allowed to inure to the benefit of any employer.

The Technical Release reminds plan sponsors and administrators that if the rebate is a plan asset, decisions about and actions taken to deposit in trust, allocate, apply, spend and other aspects of handling the plan’s portion of a rebate generally are subject to ERISA’s general standards of fiduciary conduct, prohibited transaction and trust requirements.  The Technical Release also provides guidance about allocation of the rebate under certain circumstances and certain other questions that are likely to arise in connection with the receipt of a rebate.  Insurers, brokers, consultants and others working with employers or other plan sponsors, administrators, or fiduciaries who may receive a rebate or otherwise involved in making funding decisions also may want to discuss the guidance and other fiduciary responsibility rules with their clients to help promote understanding and compliance.

Because violations of ERISA’s fiduciary responsibility rules can create personal liability, employer and other plan sponsors, plan fiduciaries and others participating in decisions or administration of a rebate exercise care in dealing with any rebate.  Many plan sponsors also may want to consider reviewing and tightening as warranted existing plan, trust, insurance policy, plan communications and other documentation to lower risks and promote desired characterization of rebates and other amounts paid into or with respect to their plans. 

For Help or More Information

If you need help reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices or with other employee benefits, human resources, health care or insurance matters, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 24 years of work, advocacy, education and publications on leading health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters. 

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials about regulatory, investigatory or enforcement concerns. 

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at ww.solutionslawpress.com

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2011 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.

Comments Off on New Guidance On Fiduciary Duties In Handling ACA Group Health Plan Premium Rebates Highlight Advisability Of Tightening Funding Terms & Fund Handling Practices To Manage Fiduciary Risks | Claims Administration, Employee Benefits, Employers, ERISA, Health Plans, Mental Health, Mental Health Parity, Retirement Plans, Tax | Tagged: , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Mental Health Parity Guidance On Mental Health & Substance Abuse Copays, Utilization Management Limits Released

December 7, 2011

Group health plans and health insurers subject to the mental health parity requirements of the Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) have additional guidance about the effect of these requirements on utilization management and copayment requirements. 

The U.S. Departments of Health and Human Services (HHS), Labor and the Treasury (the Departments) on November 17, 2011 published additional FAQs that share insights on how the MHPAEA requirements impact certain common copayments and utilization review arrangements historically used by plans and insurers.  The new FAQ guidance here provides additional clarification about the meaning of the interim final rules implementing MHPAEA the Departments jointly issued on February 2, 2010, and previous FAQ guidance published on June 30, 2010 and December 22, 2010 as applied to these practices.

For group health insurers and group health plans subject to its provisions, MHPAEA generally requires that insurer or plan:

  • Cannot impose financial requirements and treatment limitations on mental health and substance use disorder benefits that are more restrictive than the predominant financial requirements and treatment limitations that apply to substantially all medical and surgical benefits; and
  • Cannot impose separate financial requirements or treatment limitations that are applicable only to mental health or substance use disorder benefits.

 The new FAQs share the Departments joint response to questions about their interpretation of the interim final rules on nonquantitative treatment limitations in various respects.  Among other things, the new FAQs reflect:

The new FAQs respond to various questions about the effect of the MHPAEA on various medical necessity and other utilization management practices that health plans and health insurers historically have applied mental health and substance abuse coverage’s. 

The FAQs generally reaffirm that group health plans and health insurers generally cannot apply stricter medical necessity or other utilization review for mental health or substance abuse treatments than the prevailing requirements generally applicable to medical surgical benefits under the plan or policy. 

The FAQ also provides insight into evidence that health insurers or health plan sponsors should consider and retain when designing fraud control or other medical management techniques to be defensible under the MHPAEA’s parity requirements.

Furthermore, the new FAQs also provide guidance about the viability and use of differences in clinical standards of care, length of stay, and other clinical standards to justify differences in the periods of coverage provided for mental and substance abuse coverage versus other types of treatments.

Finally, the FAQs also address when a group health plan or health insurer can require covered persons to pay a higher specialist copayment for mental health or substance abuse treatments than generally applies to care rendered to a non-specialist. 

Insurers, plan sponsors, fiduciaries and administrators also should consider the potential implications of various other federal requirements on the design and administration of mental health and substance abuse coverage and benefits under their programs.   For example, the express reference to mental health and substance abuse benefits as included within the definition of “essential benefits” for purposes of the Affordable Care Act requires additional consideration of the effect of the Affordable Care Act’s annual and lifetime limit and other mandates relating to essential benefit coverage be evaluated and addressed.  In addition, specific attention should be devoted to the potential effects of the Affordable Care Act’s independent review and other rules concerning the processing and payment of health benefit claims by non-grandfathered health plans.

Along with considering the potential implications of these emerging requirements, health insurers, group health plans and those involved in their design and administration also should verify that their eligibility and other program terms or practices do not inappropriately violate the nondiscrimination rules of laws such as the Americans with Disabilities Act, the Health Insurance Portability & Accountability Act, the Genetic Information Nondiscrimination Act or other laws and that their plan and those involved in its administration are properly safeguarding the confidentiality of sensitive information about mental health , substance abuse or other health information about covered persons or their family.   Learn more here.

For Help or More Information

If you need help reviewing and updating, administering or defending your group health or other employee benefit, human resources, insurance, health care matters or related documents or practices, please contact the author of this update, Cynthia Marcotte Stamer.

A Fellow in the American College of Employee Benefit Council, immediate past Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and current Co-Chair of its Welfare Benefit Committee, Vice-Chair of the ABA TIPS Employee Benefits Committee, a council member of the ABA Joint Committee on Employee Benefits, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer is recognized, internationally, nationally and locally for her more than 24 years of work, advocacy, education and publications on cutting edge health and managed care, employee benefit, human resources and related workforce, insurance and financial services, and health care matters. 

A board certified labor and employment attorney widely known for her extensive and creative knowledge and experienced with these and other employment, employee benefit and compensation matters, Ms. Stamer continuously advises and assists employers, employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators, service providers, insurers and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources, management and other programs and practices tailored to the client’s human resources, employee benefits or other management goals.  A primary drafter of the Bolivian Social Security pension privatization law, Ms. Stamer also works extensively with management, service provider and other clients to monitor legislative and regulatory developments and to deal with Congressional and state legislators, regulators, and enforcement officials concerning regulatory, investigatory or enforcement concerns. 

Recognized in Who’s Who In American Professionals and both an American Bar Association (ABA) and a State Bar of Texas Fellow, Ms. Stamer serves on the Editorial Advisory Board of Employee Benefits News, the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, and active in a multitude of other employee benefits, human resources and other professional and civic organizations.   She also is a widely published author and highly regarded speaker on these matters. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, Modern and many other national and local publications.   You can learn more about Ms. Stamer and her experience, review some of her other training, speaking, publications and other resources, and register to receive future updates about developments on these and other concerns from Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at ww.solutionslawpress.com

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2011 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.

Comments Off on Mental Health Parity Guidance On Mental Health & Substance Abuse Copays, Utilization Management Limits Released | Claims Administration, Employee Benefits, Employers, ERISA, Health Plans, Mental Health, Mental Health Parity, Retirement Plans, Tax | Tagged: , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

« Previous Entries
Next Entries »