OCR 1st HIPAA Privacy, Security & Breach Notification Compliance Audits Begin

November 9, 2011

The kickoff of a new compliance audit pilot program provides another reason for health care providers, health plans, healthcare clearinghouses and their business associates to get serious about compliance with the privacy, security and data breach requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 

OCR Pilot Audit Program Begins

On November 8, 2011, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) announced that it will begin auditing HIPAA compliance this month under a new pilot program.

As amended by the American Recovery and Reinvestment Act of 2009 in Section 13411 of the HITECH Act, requires HHS to provide for periodic audits to make sure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  To carry out this mandate, OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance between November 2011 and December 2012.

The commencement of OCR HIPAA compliance audits is yet another sign that covered entities and their business associates should get serious about HIPAA compliance. The audit program serves as a new part of OCR’s health information privacy and security compliance program.  While OCR says that it presently views the pilot audits as primarily a compliance improvement tool, this does not mean violators should expect a free walk.

Even before the impending audits, HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly.  Earlier this year, OCR imposed a $4.3 Million Civil Money Penalty (CMP) against Cignet Health of Prince George’s County (Cignet) for violating HIPAA.  Meanwhile, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. Under amendments made by the HITECH Act, state attorneys general also now are empowered to bring civil lawsuits against covered entities and business associates that commit HIPAA violations that injure citizens in their state under certain circumstances. Eventually, individuals injured by HIPAA violations also will get the right to share in a portion of certain HIPAA recoveries.

These and other audit and enforcement activities send a strong message that covered entities and their business associates need to get serious about HIPAA compliance. As stated by OCR Director Georgina Verdugo when announcing the Mass General Resolution Agreement, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” Verdugo added, “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.” Learn more here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help.

Vice President of the North Texas Health Care Compliance Professionals Association, a member of the American College of Employee Benefit Counsel, Past Chair of the ABA RPTE Employee Benefits & Other Compensation Arrangements Group, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies.  Ms. Stamer also regularly helps clients deal with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  Her insights on the required “culture of compliance” with HIPAA are frequently included in medical privacy related publications of the Atlantic Information Service, Modern Health Care, HealthLeaders and many others. Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here or may contact her at (469) 767-8872 or via e-mail here.

You can review other selected publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here.

Other Resources

If you found this update of interest, you also may be interested in reviewing some of the other updates and publications authored by Ms. Stamer available including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available at www.solutionslawpress.com

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2011 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.

 

Comments Off on OCR 1st HIPAA Privacy, Security & Breach Notification Compliance Audits Begin | Data Security, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, Health Plans, Human Resources, Internal Controls, Internal Investigations, Patient Empowerment, Privacy, Tax | Tagged: , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

OCR’s McAndrew Speaks At 5/16 JCEB HIPAA Teleconference; OCR/NIST To Share Other HIPAA Training On Line

May 10, 2011

The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) are making presentations from the 4th annual conference on “Safeguarding Health Information: Building Assurance through HIPAA Security” co-hosted in Washington, D.C. on May 10 & 11, 2011 available on line for review.  The training is part of a series of continuing efforts by the agencies to outreach to various parties on the Privacy and Security Rules of the Health Insurance Portability & Accountability Act of 1996, as amended (HIPAA).  Meanwhile, OCR’s Susan McAndrew is scheduled to share insights on OCR’s HIPAA regulatory and enforcement agenda at a teleconference to be hosted by the American Bar Association Joint Committee on Employee Benefits at Noon Central on May 16, 2011. 

 The Security Rule sets federal standards to protect the confidentiality, integrity and availability of electronic protected health information by requiring HIPAA covered entities and their business associates to implement and maintain administrative, physical and technical safeguards. Presentations cover a variety of current topics including updates on HHS health information privacy and security initiatives, OCR’s enforcement of health information privacy and security activities, integrating security safeguards into health IT and security automation, insider threat trends and safeguards, and more.

The conference is designed to explore the current health information technology security landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, the agencies share their practical strategies, tips and techniques for implementing the HIPAA Security Rule. 

For details about reviewing the May 10-11 presentations, see the 2011 HIPAA Conference website here.  For details about the May 16 teleconference, see here.

For Help With Monitoring Developments, Compliance, Investigations Or Other Needs

If you need assistance monitoring federal health reform, policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, can help.  Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.   

Ms. Stamer also regularly works with OCR and other agencies, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns.  Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.   For instance, On May 3, 2011, Ms. Stamer served as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR and will moderate a teleconference featuring comments by OCR’s Susan McAndrew for the Joint Committee on Employee Benefits scheduled for May 16.  Her insights on the required “culture of compliance” with HIPAA also recently were quoted in medical privacy related publications of the Atlantic Information Service.  Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, employee benefit and other clients, trade and professional associations and others.

You can get more information about her HIPAA and other experience here.

If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here. 

THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2011 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.

Comments Off on OCR’s McAndrew Speaks At 5/16 JCEB HIPAA Teleconference; OCR/NIST To Share Other HIPAA Training On Line | Data Security, GINA, Health Plans, HIPAA, Human Resources, Privacy, Uncategorized, Wellness Programs | Tagged: , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

May 18 NTHCPA Meeting On HIPAA Legal Issues

May 10, 2011

NORTH TEXAS HEALTHCARE COMPLIANCE PROFESSIONAL ASSOCIATION

Invites Members and Guests to Join In The May BYO Brown Bag Luncheon

“Selected Legal Issues in HIPAA Compliance”

May 18, 2011
Noon-2:00 p.m.
Dallas Ft Worth Hospital Council

250 Decker Drive, Irving, TX 75062-2706

 

North Texas Healthcare Compliance Professional Association (NTHCPA) invites members and other interested health care compliance professionals to join other NTHCPA members and guests on Wednesday, May 18, 2011 from Noon to 2:00 p.m. as DFW attorney Scott Chase leads a program on “Selected Legal Issues in HIPAA Compliance.”  During the program, Mr. Chase will review selected current legal problems in complying with the security and privacy audit requirements, notification of breaches of security and responses to subpoenas under the HIPAA Privacy and Security Rules.  Participants also will enjoy ample opportunity to network with each other and dialogue on these and other HIPAA related challenges. 

Scott Chase is a solo practitioner who has represented small business owners (primarily physician groups) for almost 30 years.  Prior to his solo practice, he served as General Counsel for 2 public companies, including a large hospital management company.  He has chaired the Corporate Counsel Section of the Dallas Bar Association and its Health Law Section and, in 2002, he was among the first 28 Texas lawyers to be Board Certified in Health Law by the Texas Board of Legal Specialization.

The meeting will be held at the offices of the Dallas Ft Worth Hospital Council, 250 Decker Drive, Irving, TX 75062-2706.  Under the new brown bag luncheon format, members and guests are encouraged to bring along a lunch of their choosing and participate in this skill building and networking event.

NTHCPA meetings are open to all NTHCPA members and other interested health care compliance professionals. Participation in the meeting is complimentary. Participants are responsible for any parking charges incurred. 

Save The Date For June 15 Meeting

Save the date and plan to attend the June meeting featuring a program and dialogue on “Current Government Enforcement Initiatives” to be lead by Jones Day attorney Frank Sheeder at the Dallas Ft Worth Hospital Council offices on June 15, 2011 from Noon to 2 p.m.

RSVP & Register For Invites & Updates

To help us to notify you about upcoming meetings and to arrange for adequate space for this and other meetings, interested persons are encouraged to forward their current contact information including e-mail to Vice-President Cynthia Marcotte Stamer at (469) 767-8872 or by e-mail here.  Stay on top of information about upcoming meetings and share and dialogue with other NTHCPA members about health care compliance challenges and developments by joining our Linked In Group here.  Please feel free to share this invitation with others who may be interested. 

About the NTHCPA

NTHCPA exists to champion ethical practice and compliance standards and to provide the necessary resources for ethics and compliance Professionals and others in North Texas who share these principles.  The vision of NTHCPA is to be a pre-eminent compliance and ethics group promoting lasting success and integrity of organizations within North Texas.  To register or update your registration or to receive notice of future meetings, e-mail here.  

Would you like to get more involved?  We encourage persons interested in serving on the steering committee, sponsoring refreshments for an upcoming meeting, wish to suggesting topics or speakers, or seeking more information about membership or involvement with the NTHCPA to contact:

NTHCPA President Erma Lee at (817) 927-1232 or by e-mail here or

Vice-President Cynthia Marcotte Stamer at (469) 767-8872 or by e-mail here

This communication may be considered a marketing communication for certain purposes.  If you wish to update your e-mail for purposes of or would prefer not to receive future e-mail concerning meetings or other activities of the North Texas Healthcare Compliance Professionals Association or other marketing and promotional mailings from it, please send an email with the word “unsubscribe” in its subject heading here.

Comments Off on May 18 NTHCPA Meeting On HIPAA Legal Issues | Uncategorized | Tagged: , | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans & Employers Beware! $4.3 Million Civil Penalty Shows OCR Serious About HIPAA Enforcement

February 23, 2011

 

A $4.3 million civil monetary penalty (CMP) imposed by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) against Cignet Health of Prince George’s County, Md., (Cignet) signals the growing need for health plans and their sponsors, health care providers, health care clearinghouses and their business associates covered by the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule to get serious about HIPAA compliance. 

The first CMP ever assessed by OCR under the HIPAA Privacy Rule, the Cignet CMP assessment announced February 22, 2011, the $4.3 million CMP against Cignet announced February 22, 2011 applies the expanded HIPAA violation categories and increased HIPAA civil monetary penalty amounts authorized as part of the expansion of HIPAA obligations and penalties enacted as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.

The Cignet penalty announcement is the latest in a series of developments documenting the rising risks that health care providers, health plans, health care clearinghouses and their business associates (“covered entities”) face for violations of HIPAA. 

Even before the announcement of the Cignet CMP, the HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly. While OCR had not assessed any civil monetary penalties against any covered entity for violation of HIPAA before Cignet, OCR’s collection of $1 Million from Rite Aid in a 2010 Resolution Agreement, $2.25 million from CVS Pharmacy, Inc. under a 2009 Resolution Agreement and $100,000 from Providence Health & Services under a 2008 Resolution Agreement demonstrated that covered entities could face significant civil liability for willful violations of the Privacy Rules.  In addition, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. OCR data confirms that the covered entities involved in these actions included health care providers, health plans, and others.  

Health plans and other covered entities as well as their business associates should tighten privacy policies, breach and other monitoring, training and other practices to mitigate against exposures in light of recently tightened requirements and new enforcement risks.  To minimize the potential that the health plan’s sharing of information with the employer will create or spread HIPAA or other privacy risks to the employer or members of its workforce, employers and other plan sponsors and members of their workforce also should take steps to ensure not only that their health plan documents, policies and procedures, as well as those policies and practices applicable to employer, its human resources, and benefits advisors when accessing or handling health plan or other medical information on behalf of the employer, rather than the plan, are appropriately designed and administered.

Read more details and get tips here.

For Help With Investigations, Policy Review & Updates Or Other Needs

If you need assistance in auditing or assessing, updating or defending your HIPAA or other health plan, or other labor and employment, employee benefit, compensation, privacy and data security, or other internal controls and practices, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469)767-8872.

Ms. Stamer, a noted Texas-based employee benefits and employment lawyer Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, will discuss HIPAA and other privacy risks and risk management strategies for employers, health and employee benefit plan sponsors and their administrators at the Southwest Benefits Association/IRS Plan Administrator Skills Workshops to be held February 25 in Dallas and March 4 in Houston. 

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on HIPAA and other privacy and data security, health plan, health care and other human resources and workforce, employee benefits, compensation, internal controls and related matters.

For more than 23 years, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters.  She also is recognized for her publications, industry leadership, workshops and presentations on privacy and data security and other human resources, employee benefits and health care concerns.  Her many highly regarded publications on privacy and data security concerns include “Privacy Invasions of Medical Care-An Emerging Perspective.” ERISA Litigation Manual. BNA, 2003-2009; “Privacy & Securities Standards-A Brief Nutshell.” BNA Tax Management and Compliance Journal. February 4, 2005; “Cybercrime and Identity Theft: Health Information Security beyond HIPAA.” ABA Health eSource. May, 2005 and many others.  She also regularly conducts training on HIPAA and other privacy and data security compliance and other risk management matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others.t Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.

©2011 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press.  All other rights reserved.

Comments Off on Health Plans & Employers Beware! $4.3 Million Civil Penalty Shows OCR Serious About HIPAA Enforcement | ARRA, Employee Benefits, Employers, ERISA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Protected Health Information, Stimulus Bill, Tax | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Assess Your Health Plan Compliance 8/24: Register Now!

August 12, 2010

Get a Health Plan Compliance Checkup

Learn What You Must Do Now To Meet Key 2010/2011
Affordable Care Act & Other Health Plan Compliance Deadlines

2010 Health Plan Update

A Solutions Law Press Live Internet Broadcast Briefing

August 24, 2010 

10:00 A.M.-12:30 P.M. Eastern | 11:00 A.M.-1:30 P.M. Central | 9:00 A.M-11:30 A.M. Pacific

Earn 2 Hours of Texas Insurance Continuing Education Credit,  WorldAtWork or HRCI Credit!

 

Solutions Law Press invites you to catch up on the latest guidance on new group health plan mandates imposed under the Patient Protection and Affordable Care Act (Affordable Care Act) and other federal health plan regulations by participating in the “2010 Health Plan Update” briefing on Tuesday, August 24, 2010. The briefing will be held via a live internet broadcast from 11:00 to 1:30 P.M. Central Time. Registrants can elect to participate in person or watch via the Internet for a registration fee of $150.00. To register click here.

Affordable Care Act Requires Prompt Action By Group Health Plans, Employee Sponsors, Fiduciaries, Administrators, & Insurers

Health benefit costs and legal risks continue to grow for U.S. businesses. The Affordable Care Act and other impending federal health plan regulatory changes will require employment-based group health plans, their employer and other plan sponsors, insurers plan fiduciaries, plan administrators and other service providers and insurers to make quick decisions and to act quickly to meet impending federal compliance deadlines while preserving flexibility. All employer and other group health plan sponsors, fiduciaries, insurers and administrators must act quickly to update their health plan documents, communications, insurance and vendor agreements and practices to comply with new federal requirements that become effective under the Affordable Care Act on the first day of the next plan year beginning after September 22, 2010 and various other changes in federal health plan rules effective or scheduled to take effect during 2010 or 2011 plan years. Many plan sponsors also may need to act quickly to cancel or revise plan design or vendor changes planned or already implemented since March 23, 2010 to position their health plan to qualify for grandfather status. Quick action also may be needed to qualify for small employer tax credits, retiree medical subsidies or other benefits.

August 24 Briefing Provides Key Information

The August 24, 2010 “2010 Health Plan Update” briefing will cover the latest guidance on Affordable Care Act and other federal health plan regulatory changes impacting employment-based group health plans and their sponsors for plan years beginning between September 23, 2010 and September 22, 2011 and other key information to help employers, group health plans, insurers, plan administrators, fiduciaries, broker and others working with these plans to understand and respond to these new requirements including:

  • How to qualify your health plan as a grandfathered plan under the Affordable Care Act
  • How to decide if maintaining grandfathered plan status is worthwhile
  • Claims & appeals requirements for grandfathered & non-grandfathered plans
  • Preventive care coverage & wellness program rules under Affordable Care Act, GINA, ADA & other federal regulations
  • Updated dependent child eligibility, pre-existing condition & other dependent coverage rules for grandfathered & non-grandfathered plans
  • Special enrollment, preexisting condition & other eligibility mandates for grandfathered & non-grandfathered plans under new Affordable Care Act, FMLA, Michelle’s Law, HIPAA & other regulations
  • Mental health & substance abuse, provider choice & other benefit mandates under new Affordable Care Act, Mental Health Parity & other federal rules
  • New HIPAA Privacy Rules
  • Update on other recent & pending Affordable Care Act group health plan rule guidance
  • Cafeteria plan implications
  • Tips to review & update your plans, vendor agreements & processes to meet Affordable Care Act & other federal group health plan dictates
  • Expected future Affordable Care Act & other federal rule changes & tips for preparing
  • Practical strategies for responding to new requirements & changing rules
  • Participant questions

About The Presenter

The program will be conducted by attorney Cynthia Marcotte Stamer.  Ms. Stamer is nationally known for her more than 23 years of work, publications and presentations on health plan and other employee benefit, health care and insurance matters. Current Chair of the American Bar Association (ABA) RPTE Employee Benefit & Other Compensation Group, a Council Member of the ABA Joint Committee on Employee Benefits and Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer continuously advises group health plans, insurers, employer and other plan sponsors, plan fiduciaries, plan administrators and vendors, and others about health plan design, administration, defense, contracting and related legal compliance, operational, documentation, public policy, enforcement, privacy, technology, litigation and risk management and other concerns. Ms. Stamer also publishes and speaks extensively on these and other health and managed care program concerns and practices. Her insights on these and related topics have appeared in Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, Managed Healthcare, Health Leaders, various ABA publications and a many other national and local publications. To contact Ms. Stamer or for additional information about Ms. Stamer, her experience, involvements, programs or publications, contact Ms. Stamer at (469) 767-8872 or via e-mail here or see here.  Texas Insurance Department Continuing Education Provider Number 3544.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other updates, consultation, training and education, tools, and other resources for businesses  on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources available for review here. If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press™ events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. For important information concerning this communication click here


Solutions Law Press ™ Thanks Our Sponsors

Benefit HR Productions is a producer of enrollment and employee benefit and human resources orientation and on boarding enrollment and other human resources video communications for employers and their service providers.  For more information, contact  Bill at (972) 267-8410.

NFC offers supplemental insurance benefits to individuals and families that pay benefits directly to the insured and offers cafeteria plan administration services at no cost to employers including a Debit Card feature. To learn more about NFC cafeteria plan services or its supplemental insurance products contact Art Mueller at National Family Care Life Insurance Company, 13530 Inwood Rd, Dallas, Tx 75244. 800-527-0996. acmnfc@flash.net

 ©2010 Solutions Law Press. All rights reserved.
  

A limited number of participants on a space available basis will have the opportunity to participate in the briefing as a member of the live studio audio audience in Plano, Texas. Interested persons should e-mail support@solutionslawyer.net.
Discounts available for groups registering three or more participants.  E-mail support@solutionslawyer.net.

Comments Off on Assess Your Health Plan Compliance 8/24: Register Now! | CHIP, Claims Administration, COBRA, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, FMLA, Health Plans, Human Resources, Income Tax, Mental Health, Mental Health Parity, Prescription Drugs, Tax, Wellness, Wellness Programs | Tagged: , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Stamer To Conduct“Health Plan Eligibility Update” Teleconference For NBI October 13, 2010

August 5, 2010

Register Now For 8/24 2010 Health Plan Update Briefing

Employer and other group health plan sponsors and insurers, fiduciaries and administrators of group health must update their health plans and practices to comply with new federal rules imposed by the Affordable Care Act and a host of other evolving federal health plan rules.  In the meantime, health plan sponsors, fiduciaries, insurers and administrators looking to catch up on the most significant new requirements for employer and union sponsored health plans for the upcoming year also should consider registering to participate in the Solutions Law Press Health Plan Update Briefing scheduled for August 24, 2010.

October 13 NBI Teleconference Focuses On Eligibility Requirements

Catch up on the evolving federal health plan eligibility rules that employer and union sponsored group health plans must meet by listening in as attorney Cynthia Marcotte Stamer speaks about “Health Plan Eligibility Update”” on a live teleconference to be hosted by National Business Institutes on Wednesday, October 13, 2010 from 1:00 p.m.- 2:30 Central Time.  To register or for additional information on the October 13 NBI Teleconference , visit http://www.nbi-sems.com.

During the October 13, 2010 Health Plan Eligibility Teleconference, Ms. Stamer will share:

ü       Core Requirements Of Federal Group Health Plan Eligibility Rules Including Evolving Requirements of:

  • The Affordable Care Act
  • COBRA
  • HIPAA
  • GINA
  • Family Leave
  • Military Leave
  • Michelle’s Law & Other Dependent Coverage
  • Medicare Secondary Payer

ü       Implications On Cafeteria Plan & Other Common Enrollment Strategies

ü       Tips to Keep Health Plans Complaint

August 24 SLP Internet Briefing Overviews Latest Core Federal Rules For Group Health Plans Generally

Solutions Law Press invites you to catch up on the latest guidance about the new group health plan mandates imposed under the Patient Protection and Affordable Care Act (Affordable Care Act) and other federal health plan regulations by participating in a live “2010 Health Plan Update” internet[i] broadcast briefing on Tuesday, August 24 2010.  The briefing will be conducted via live video broadcast from 11:00 A.M.-1:30 P.M. Central Time.  The August 24, 2010 “2010 Health Plan Update” briefing will cover the latest guidance on Affordable Care Act and other federal health plan regulatory changes impacting employment-based group health plans and their sponsors for plan years beginning between September 23, 2010 and September 22, 2011 and other key information to help employers, group health plans, insurers, plan administrators, fiduciaries, broker and others working with these plans to understand and respond to these new requirements.  Register/Get Details Here! 

About The Presenter

Both programs will be conducted by attorney Cynthia Marcotte Stamer. With more than 23 years of experience advising employers, group health plans, plan fiduciaries, plan administrators and vendors, insurers and others about health plan and managed care matters, Ms. Stamer is nationally known for her work, publications and presentations on health plan and other employee benefit, health care and insurance matters. 

Current Chair of the American Bar Association (ABA) RPTE Employee Benefit & Other Compensation Committee, a Council Member of the ABA Joint Committee on Employee Benefits and Past Chair of the ABA Health Law Section Managed Care & Insurance  Interest Group, Ms. Stamer continuously advises employers, health plans, plan sponsors, fiduciaries, plan administrators, plan vendors, insurers and others about health program related legal, operational, documentation, public policy, enforcement, privacy, technology, litigation and risk management and other  concerns. Ms. Stamer also publishes and speaks extensively on these and other health and managed care program concerns and practices.  Her insights on these and related topics have appeared in Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, Managed Healthcare, Health Leaders, various ABA publications and a many other national and local publications.  To contact Ms. Stamer or for additional information about Ms. Stamer, her experience, involvements, programs or publications, contact Ms. Stamer at (469) 767-8872 or via e-mail here, or see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available for review here. If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. For important information concerning this communication click here

If you found this of interest, you also may be interested in the following recent Solutions Law Press publications by Ms. Stamer:

©2010 Cynthia Marcotte Stamer. All rights reserved.

Comments Off on Stamer To Conduct“Health Plan Eligibility Update” Teleconference For NBI October 13, 2010 | ADA, CHIP, COBRA, Employee Benefits, Employers, ERISA, family leave, Fiduciary Responsibility, FMLA, GINA, Health Plans, HIPAA, Human Resources, Insurance, Leave, medical leave, Medicare Part D, Mental Health, Mental Health Parity, Patient Protection and Affordable Care Act | Tagged: , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Rite Aid Pays $1 Million HIPAA Privacy Settlement As OCR Tightens HIPAA Regulations

August 3, 2010

Drug store chain Rite Aid Corporation and its 40 affiliated entities (Rite Aid) will pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.  Although targeting a health care provider, employers, health plan sponsors, administrators, and service providers should recognise the the Rite Aid settlement as a strong reminder of the importance of reviewing and tightening their own human resources, employee benefits, adn other policies and processes to better safeguard protected health information, personal financial information and other sensitve data.   

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights announcement of the HIPAA resolution agreement with Rite Aid and the concurrent negotiation of a separate consent order of potential FTC Act violations between Rite Aid and the Federal Trade Commission (FTC) follows HHS’ announcement of proposed changes to its HIPAA Privacy Rules and associated penalties in response to changes enacted under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).  The Rite Aid settlement and the proposed Privacy Rule changes illustrate the growing penalty risks that health plans, health care providers, healthcare clearinghouses and their business associates (Covered Entities) face for violating the Privacy Rules.  Read more details.

Additionally, the Rite Aid decision also serves as a reminder to employers, health plans and their administrators, insurers and finance and finance departments to tighten their controls over the use, access and disposal of sensitive information.  A walk through of almost most employee benefit, human resources and finance department typically reveals that at any given time a wide range of personal health and other sensitve information is handled and disposed of in a manner that leaves it open to improper or unnecessary use or disclosure.  Additionally, while situations like those in Rite Aid and CVS draw big press, Secret Service, FBI, DOL and other statistics show that most wrongful access and damage comes from the improper use of access of information gained through credentials as an employee, contractor or customer.  Rite Aid, CVS, and other HIPAA, FTC and personal identity breach statistics, settlements and judgments are a reminder to all of the advisability of cleaning up their policies and controls to better protect this data. 

For Assistance or More Information

If your organization needs assistance updating or defending your privacy, data security or other health plan design, documentation policies or procedures in response to these or other requirements or with other employee benefit, insurance or human resources matters, please contact the author of this update, Board Certified Labor & Employment attorney Cynthia Marcotte Stamer at (469) 767-8872 or via e-mail here.

Current Chair of the American Bar Association (ABA) RPTE Employee Benefit & Other Compensation Group, a Council Member of the ABA Joint Committee on Employee Benefits and Past Chair of the ABA Health Law Section Managed Care & Insurance  Interest Group, Stamer continuously advises employers, health and other employee benefit plans, plan sponsors, fiduciaries, plan administrators, plan vendors, insurers and others about health program related legal, operational, documentation, public policy, enforcement, privacy, technology, litigation and risk management and other concerns. Ms. Stamer also publishes, conducts client and other training, speaks and consults extensively on these and other health and managed care program concerns and practices. She regularly speaks and conducts training for the ABA, American Health Lawyers Association, Institute of Internal Auditors, Society for Professional Benefits Administrators, Southwest Benefits Association and many other organizations.  Her extensive publications include numerous highly regarding works on HIPAA and other health plan matters published by the Bureau of National Affairs, the ABA, and others.  Her insights on these and related topics have appeared in Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, Managed Healthcare, Health Leaders, various ABA publications and a many other national and local publications.  To contact Ms. Stamer or for additional information about Ms. Stamer, her experience, involvements, programs or Publishers of her many highly regarded writings on health industry and human resources matters include the Bureau of National Affairs, Aspen Publishers, ABA, AHLA, Aspen Publishers, Schneider Publications, Spencer Publications, World At Work, SHRM, HCCA, State Bar of Texas, Business Insurance, James Publishing and many others.  You can review other highlights of Ms. Stamer’s experience here

Other Resources

If you found this information of interest, you also may be interested in reviewing other recent Solutions Law Press updates including:

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available for review here. If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. For important information concerning this communication click here.

©2010 Solutions Law Press. All rights reserved.

Comments Off on Rite Aid Pays $1 Million HIPAA Privacy Settlement As OCR Tightens HIPAA Regulations | Corporate Compliance, Data Security, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Medicare Part D, Risk Management | Tagged: , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Register Now For 8/24 2010 Health Plan Update Briefing

July 30, 2010

Learn If Your Plan Will Be Grandfathered Plan & What You Must Do Now To Meet Key 2010/2011 Affordable Care Act & Other Federal Health Plan Compliance Deadlines

A Solutions Law Press Live Internet Broadcast Briefing

August 24, 2010

10:00 A.M.-12:30 P.M. Eastern

11:00 A.M.- 1:30 P.M. Central

9:00 A.M-11:30 A.M. Pacific

Solutions Law Press invites you to catch up on the latest guidance about the new group health plan mandates imposed under the Patient Protection and Affordable Care Act (Affordable Care Act) and other federal health plan regulations by participating in a live 2010 Health Plan Update” internet[*] broadcast briefing on Tuesday, August 24 2010.  The briefing will be conducted via live video broadcast from 11:00 A.M.-1:30 P.M. Central Time.  Register here for a registration fee of $150.00[†] per participant.   

Affordable Care Act Requires Prompt Action By Group Health Plans, Sponsors, Fiduciaries & Administrators

The Affordable Care Act and other impending federal health plan changes will require employment-based group health plans, their employer and other plan sponsors, plan fiduciaries, plan administrators and other service providers and insurers to make quick decisions and to act quickly to meet impending federal compliance deadlines while preserving flexibility.  All employer and other group health plan sponsors, fiduciaries, insurers and administrators must act quickly to update their health plan documents, communications, insurance and vendor agreements and other practices to comply with new federal requirements that become effective under the Affordable Care Act on the first day of the plan year beginning after September 22, 2010 and various other changes in federal health plan rules effective or scheduled to take effect during 2010 or 2011 plan years.  Many plan sponsors also may need to act quickly to cancel or revise plan design or vendor changes planned or already implemented since March 23, 2010 to position their health plan to qualify for grandfather status.  Quick action also may be needed to claim small employer tax credits, retiree medical subsidies or other benefits. 

Register Now To Get Key Information In August 24 Internet Briefing

The August 24, 2010 “2010 Health Plan Update” briefing will cover the latest guidance on Affordable Care Act and other federal health plan regulatory changes impacting employment-based group health plans and their sponsors for plan years beginning between September 23, 2010 and September 22, 2011 and other key information to help employers, group health plans, insurers, plan administrators, fiduciaries, broker and others working with these plans to understand and respond to these new requirements including:

  •  How to qualify your health plan as a grandfathered plan under Affordable Care act
  • How to decide if maintaining grandfathered plan status is worthwhile
  • Claims & appeals requirements for grandfathered & non-grandfathered plans
  • Preventive care coverage mandates & wellness program requirements & rules under Affordable Care Act & other federal regulations
  • Updated dependent child eligibility, pre-existing condition & other requirements for grandfathered & non-grandfathered plans
  • Special enrollment, preexisting condition & other eligibility mandates for grandfathered & non-grandfathered plans under new Affordable Care Act, new FMLA, COBRA, Michelle’s Law, HIPAA & other federal regulations
  • Mental health & substance abuse, provider choice & other benefit mandates under Affordable Care Act, Mental Health Parity & other federal rules
  • Update on other recent & pending Affordable Care Act group health plan rule guidance
  • Tips to review & update your plans, vendor agreements & processes to meet Affordable Care Act & other federal group health plan dictates
  • Expected future Affordable Care Act & other federal rule changes & tips for preparing
  • Practical strategies for responding to new requirements & changing rules
  • Participant questions

About The Presenter

The program will be conducted by attorney Cynthia Marcotte Stamer. With more than 23 years of experience advising employers, group health plans, plan fiduciaries, plan administrators and vendors, insurers and others about health plan and managed care matters, Ms. Stamer is nationally known for her work, publications and presentations on health plan and other employee benefit, health care and insurance matters. 

Current Chair of the American Bar Association (ABA) RPTE Employee Benefit & Other Compensation Committee, a Council Member of the ABA Joint Committee on Employee Benefits and Past Chair of the ABA Health Law Section Managed Care & Insurance  Interest Group, Ms. Stamer continuously advises employers, health plans, plan sponsors, fiduciaries, plan administrators, plan vendors, insurers and others about health program related legal, operational, documentation, public policy, enforcement, privacy, technology, litigation and risk management and other concerns. Ms. Stamer also publishes and speaks extensively on these and other health and managed care program concerns and practices.  Her insights on these and related topics have appeared in Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, Managed Healthcare, Health Leaders, various ABA publications and a many other national and local publications.  To contact Ms. Stamer or for additional information about Ms. Stamer, her experience, involvements, programs or publications, contact Ms. Stamer at (469) 767-8872 or via e-mail here, or see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources available for review here. If you or someone else you know would like to receive future updates and notices about other upcoming Solutions Law Press events, please be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word   ©2010 Solutions Law Press.   All rights reserved. 

[*] A limited number of participants on a space available basis will have the opportunity to participate in the briefing as a member of the live studio audio audience in Plano, Texas.  Interested persons should e-mail support@solutionslawyer.net. 

[†] Discounts available for groups registering three or more participants.  Sponsorship opportunities also available.  For information, E-mail support@solutionslawyer.net.

Comments Off on Register Now For 8/24 2010 Health Plan Update Briefing | ADA, Affordable Care Act, COBRA, Disease Management, Employee Benefits, Employers, ERISA, Excise Tax, family leave, Fiduciary Responsibility, FMLA, GINA, HIPAA, Human Resources, Insurance, Internal Controls, Leave, medical leave, Mental Health, Patient Protection and Affordable Care Act, Payroll Tax, Privacy, Protected Health Information, Risk Management, Tax, Wellness | Tagged: , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

CMS & ONC To Co-Host 7/22 ONC Certification & Medicare/Medicaid EHR Incentive Program Audio Training

July 19, 2010

The Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) will co-host an Audio Training on the Final Rules for ONC Certification and Medicare and Medicaid EHR Incentive Programs on July 22, 2010 from 2:00-3:30 pm EST. 

During the training, the Agencies plan to discuss:

  • Benefits of HIT
  • Summary of the final rules
  • ONC temporary certification process
  • ONC initial set of standards and implementation specifications
  • Medicare and Medicaid EHR Incentives Programs including the initial definition of meaningful Use

To join the audio training, dial 1-877-251-0301 and enter the Conference ID pass code: 87841621

Materials will be made available prior to the training at the following web address here

For more information about CMS EMR incentives, see here. 

About The Author

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, management attorney and consultant Ms. Stamer is nationally and internationally recognized for more than 23 years of work helping employer and other plan sponsors, insurers, administrators, fiduciaries, governments and others design, administer and defend innovative health and other employee benefit programs and other human resources and health care IT, human resources, compensation and management policies and practices.

The author of numerous highly regarding publications on HIPAA and other health care IT related matters, Ms. Stamer works extensively with employer and other health plan sponsors, fiduciaries, administrative and other service providers, insurers, and other clients on health benefit program and product design, documentation, administration, compliance, risk management, and public policy matters.  The publisher of Solutions Law Press, Ms. Stamer also publishes, conducts training and speaks extensively on these and related concerns for the ABA, the Bureau of National Affairs and many other organizations.

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, and the editor and publisher of Solutions Law Press HR & Benefits Update and other Solutions Law Press Publications, Ms. Stamer also is recognized for her publications, industry leadership, workshops and presentations on these and other HIPAA, EMR and other health technology, health industry and human resources concerns. She regularly speaks and conducts training for the ABA, Institute of Internal Auditors, Society for Professional Benefits Administrators, Southwest Benefits Association and many other organizations.  Publishers of her many highly regarded writings on health industry and human resources matters include the Bureau of National Affairs, Aspen Publishers, ABA, AHLA, Aspen Publishers, Schneider Publications, Spencer Publications, World At Work, SHRM, HCCA, State Bar of Texas, Business Insurance, James Publishing and many others.  You can review other highlights of Ms. Stamer’s experience hereHer insights on these and other matters appear in Managed Care Executive, Modern Health Care, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, MDNews, Kentucky Physician, and many other national and local publications. 

If you need help with human resources or other management, concerns, wish to ask about compliance, risk management or training, or need legal representation on other matters please contact Cynthia Marcotte Stamer here or (469)767-8872. 

Other Resources

If you found this information of interest, you also may be interested in reviewing other recent Solutions Law Press updates including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to receive our Solutions Law Press distributions here. For important information about this communication click here.

Comments Off on CMS & ONC To Co-Host 7/22 ONC Certification & Medicare/Medicaid EHR Incentive Program Audio Training | Affordable Care Act, Data Security, Employee Benefits, Employers, ERISA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Medicare Part D, Patient Protection and Affordable Care Act, Protected Health Information, Public Policy | Tagged: , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Stamer To Discuss “Health Care Reform’s Implications For Employers, Health Plans & Employee Benefits Practitioners” At May 5 Dallas Bar Association Meeting

March 22, 2010

Cynthia Marcotte Stamer will discuss “Health Care Reform:  Implications for Employers, Health Plans and Employee Benefits Practitioners” at the May 5, 2010 meeting of Dallas Bar Association Employee Benefits/Executive Compensation Section to be held from 12:00 noon – 1:00 p.m. in the Haynes & Boone Ballroom of Dallas Bar Association Belo Mansion located at 2101 Ross Avenue in Dallas, Texas.

Narrowly passed by Congress in March after a year of contentious debate, the comprehensive health care reform legislation imposes a complex array of reforms impacting employment based health plans, employers, and the insurers and other vendors and administrators of these programs.  Ms. Stamer will explore key elements of these reforms impacting employers and employment based health coverage and their implications for employers, employment based health plans, and employee benefits and other attorneys providing advice about these arrangements.

Chair of the American Bar Association RPTE Employee Benefits & Compensation Committee, an ABA Joint Committee on Employee Benefits Council member, Chair of the Curran Tomko Tarski Labor, Employment & Employee Benefits Practice and former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the Dallas Bar Association Employee Benefits & Executive Compensation Section, Ms. Stamer is nationally recognized for more than 22 years of work with employer and other health plan sponsors, fiduciaries, administrative and other service providers, insurers, and other clients on health benefit program and product design, documentation, administration, compliance, risk management, and public policy matters.  The publisher of Solutions Law Press, Ms. Stamer also publishes, conducts training and speaks extensively on these and related concerns for the ABA, the Bureau of National Affairs and many other organizations.  For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

If you need assistance with evaluating or responding to this new legislation or other employee benefits, employment, compensation or other management concerns, wish to inquire about compliance, risk management or training, or need legal representation on other matters please contact Cynthia Marcotte Stamer at cstamer@cttlegal.com, 214.270.2402; or your other preferred Curran Tomko Tarski LLP attorney.

If you found this information of interest, you also may be interested in reviewing other updates and publications by Ms. Stamer including:

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here and learn more about  other Curran Tomko Tarski LLP attorneys here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information to Cstamer@CTTLegal.com or registering to participate in the distribution of these and other updates on our Solutions Law Press distributions here. For important information concerning this communication click here.    

©2010 Cynthia Marcotte Stamer. All rights reserved.

Comments Off on Stamer To Discuss “Health Care Reform’s Implications For Employers, Health Plans & Employee Benefits Practitioners” At May 5 Dallas Bar Association Meeting | Corporate Compliance, Disease Management, Employers, Employment Tax, ERISA, Excise Tax, GINA, Health Plans, Human Resources, Income Tax, Insurance, Internal Controls, Payroll Tax, Risk Management, Tax | Tagged: , , , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Privacy Rule Changes & Posting of Breach Notices On OCR Website Signal New Enforcement Risks For Health Plans, Their Sponsors & Business Associates

February 23, 2010

 By Cynthia Marcotte Stamer

The Department of Health and Human Services Office of Civil Rights (OCR) has begun disclosing on its website the employer and other health plans, health care providers, health care clearinghouses and their business associates (Covered Entities) that report breaches of unsecured protected health information (UPIC) affecting more than 500 individuals as required by new rules enacted as part of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This posting of Covered Entities reporting breaches comes just days after these and other Covered Entities became subject on February 17, 2010 to a host of other tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of the Health Insurance Portability & Accountability Act (HIPAA) also enacted as part of the HITECH Act. As failing to comply with the amended rules effective February 17, 2010 can trigger obligations under the Breach Regulations and other exposures, prompt action to manage risk under both the Breach Regulations and the revised HIPAA rules is critical to minimize Covered Entity and business associate exposures under both these rules. With criminal, administrative and civil prosecutions of such violations increasing and likely to expand, timely action to manage compliance and other risks is warranted. Health plans and their business associates also should prepare for increased awareness and oversight of the adequacy of their medical information safeguards as these disclosures and other enforcement actions heighten interest and awareness of employees and others in these rules.

Covered Entity Breach Notification Requirements

OCR posted the initial list of Covered Entities disclosing these breaches on its website for the first time yesterday (February 22, 2010) to comply with breach notification requirements imposed by Section 164.408 of the interim “Breach Notification For Unsecured Protected Health Information” regulation (Breach Regulation) published here

The Breach Regulation requires Covered Entities subject to the Health Insurance Portability & Accountability Act (HIPAA) to notify affected individuals, OCR and certain other parties following a “breach” of “unsecured” protected health information occurring on or after September 23, 2009.  The Breach Regulation implements new breach notification requirements added to HIPAA by Section 13402(e)(3) of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). It and the posting of Covered Entities reporting breaches of protected health information are part of the ongoing implementation and enforcement of new and stricter personal health information privacy and data security requirements for Covered Entities added to HIPAA under provisions of the HITECH Act and expanded remedies for violations signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).

You can review the list of Covered Entities that have reported breaches on the OCR website here.  Learn more about the Breach Regulation requirements here.

Broader & Stricter Medical Privacy Mandates Effective 2/17/210

Just last Wednesday (February 17, 2010) Covered Entities and their business associates also became subject to tighter federal requirements for the use, access, protection and disclosure of protected health information under amendments to HIPAA’s Privacy & Security Standards enacted by the HITECH Act. The changes that became effective on February 17, 2010 generally require that Covered Entities and their business associates make specific changes to update their written policies, operational procedures, privacy notices, business associate agreements, training, and other management procedures in several respects. For more details, see here.

While the HITECH Act gave Covered Entities and business associates a year to complete the necessary arrangements to comply with these HITECH Act changes, many Covered Entities and business associates have remain unnecessarily exposed under these new requirements by not completing or otherwise failing to adequately implement the necessary arrangements despite expanding liability exposures that can result from noncompliance. To mitigate these exposures, Covered Entities and their business associates should act quickly to review and update their policies, procedures, training, business associate and other services agreements, and other practices and procedures, as well as to implement the training, oversight, and other management necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

Exposures Significant & Growing

Covered Entities and business associates failing to devote adequate attention and resources to  managing HIPAA compliance and associated risks risk increasing peril.  Aside from the potential implications that disclosures of violations may have on patients and others impacting their business, the legal risks of noncompliance for Covered Entities, business associates and others mishandling protected health information are real and growing.   

Timely action to comply with the amended HIPAA requirements and Breach Regulations is important both to preserve critical trust in the business, to avoid triggering breach notifications that can undermine this trust and fuel legal complaints, and to avoid exposure to an expanding range of sanctions that can result when a violation occurs. 

Amendments made under the HITECH Act have expanded the size and availability of remedies that can be imposed for HIPAA violations as well as the parties empowered to pursue these remedies.  Wrongful use, access or disclosure of protected health information in violation of HIPAA subjects participating health plans, health care providers, health care clearinghouses, their business associates and other workforce members and others to civil penalties,  criminal prosecution and, since February 17, 2009, civil lawsuits brought by state attorneys general on behalf of citizens of their states whose HIPAA rights were violated.  Since September 23, 2009, health plans and other HIPAA Covered Entities as well as their  business associates also became obligated to provide breach notification under new mandates imposed by the HITECH Act.  Coupled with increased enforcement emphasis by regulators, these expansions to HIPAA’s remedy provisions increase the risk that Covered Entities or business associates violating HIPAA face investigation and sanction.  Furthermore, the wrongful use, access or disclosure of protected health information or other confidential information also increasingly is the basis of civil or criminal actions brought under a variety of other federal and state laws.

Expanded HIPAA & Other Federal Prosecutions & Remedies

The expanded requirements imposed under the Breach Regulation and the other HITECH Act changes that took effect on February 17, 2010 follow the implementation changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, when President Obama signed the HITECH Act into law. The HITECH Act amendments to HIPAA’s remedies significantly increase the risk that health plans and other Covered Entities and their business associates will face civil lawsuits, civil or criminal penalties or other consequences for violating HIPAA. Noncompliance with these and other HIPAA requirements subjects Covered Entities and business associates to civil penalties, criminal prosecution, civil damage awards under lawsuits brought by state attorneys general, and other legal remedies.  In addition, timely update written policies, procedures, business associate agreements, training and documentation is imperative in order for Covered Entities and their business associates to fulfill their breach notification obligations under new rules enacted as part of the HITECH Act. 

HITECH Amendments Expand Liability Exposures

The expanded risks stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions.  Among other things, the HITECH Act amended HIPAA to:

  • Allow a State Attorney General to sue health plans or other Covered Entities, business associates or both that harm state citizens by committing HIPAA violations after February 16, 2009;
  • Expand the mandate by OCR to investigate violations and audit compliance with HIPAA;
  • Require Office of Civil Rights to impose civil sanctions against Covered Entities and business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
  • Revise the criminal sanctions that the Department of Justice can seek against Covered Entities, their business associates and others for violations of HIPAA; and
  • Amend HIPAA to make clear that HIPAA’s criminal sanctions also can imposed on business associates, workforce members and other persons that improperly use, access and disclose protected health information in violation of HIPAA.

State Attorney General Lawsuit Exposures

Covered Entities and their business associates now also need to be concerned about the potential that a state Attorney General may bring civil suit to remedy damages caused to state citizens by a breach of HIPAA. 

The HITECH Act empowers a state attorney general to sue Covered Entities or business associates engaging in HIPAA violations that harms citizens of the state for statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs

A HIPAA civil lawsuit filed on January 13, 2010 demonstrates the willingness of at least some states to exercise the new authority created by the HITECH Act on February 17, 2009 to sue Covered Entities and business associates that violate HIPAA for civil damages.

On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.   The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net.  The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers.

Stepped Up Federal Enforcement

Even before the HITECH Act amendments, however, OCR and Department of Justice already were stepping up HIPAA investigation and enforcement.  The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA.  See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health InformationMeanwhile, OCR also is emphasizing HIPAA enforcement.  In February, 2009, for instance, OCR announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges.  This announcement followed OCR’s announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges.  OCR also has taken HIPAA enforcement actions against a broad range of other Covered Entities to redress HIPAA violations or other compliance concerns.  To review examples of these other actions, see hereWhile not resulting in the significant payments involved in CVS or Providence, all Covered Entities involved in these and other enforcement actions or investigations have incurred significant legal and other defense costs, loss of community trust, or both.

In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can give rise to liability for health plans and other Covered Entities, business associates, employees and other members of their workforce and others improperly using, accessing or disclosing protected health information.  Federal and state prosecutions may and increasingly do criminally prosecute individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws .  See e.g., Cybercrime & Identity Theft: Health Information Security Beyond HIPAA; NY AG Cuomo Announcement of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A YearAdditionally, State courts also increasingly are permitting individuals harmed by HIPAA violations to use HIPAA as the foundation of state law duties used to maintain state negligence, invasion of privacy, retaliation or other claims for damages. Read more here

State Civil Lawsuits

Along side these governmental actions, state courts also increasingly are willing to allow individual plaintiffs to rely on violations of HIPAA as the basis for bringing state privacy, retaliation or other actions.  While prior to the recent HITECH Act amendments, federal courts had ruled that private plaintiffs could not sue under HIPAA for damages they incurred from a Covered Entity’s violation of HIPAA, state courts have allowed private plaintiffs to use the obligations imposed by HIPAA as the basis of a Covered Entity’s duty for purposes of certain state law lawsuits.  In  Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim.  Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit.

Meanwhile, disgruntled employees or other business partners also increasingly raise alleged HIPAA misconduct as a basis of their legal complaints.  For instance, private plaintiffs employed by Covered Entities also are increasingly pointing to HIPAA as the basis for their retaliation or wrongful discharge claims. See, e.g.,  Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim.  Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for Covered Entities and their business associates that  fail to properly manage their HIPAA compliance obligations and risks.

Given these and other developments, Covered Entities and their business associates generally should resist the temptation to underestimate their potential HIPAA exposure for a variety of reasons.  In fact, a number of factors demonstrate that the risks are significant and growing for Covered Entities, business associates and others that breach HIPAA’s mandates or otherwise inappropriately access protected health information. 

Covered Entities & Business Associates Urged To Act Promptly To Manage Expanded HIPAA Risks & Obligations

As a consequence of these collective HITECH Act changes and growing HIPAA-related and other exposures, Covered Entities, their business associates and business associates generally will find it necessary or advisable among other things to:

  • Conduct well-documented due diligence within the scope of attorney-client privilege on their own practices and procedures;
  • Review the adequacy of the practices, policies and procedures of the Covered Entities, business associates, and others that may come into contact with protected health information;;
  • Renegotiate their service provider agreements to detail the specific compliance obligations of each party relating to for auditing compliance, investigating potential breaches; providing required breach notifications; specify leadership and required cooperation in the event of a breach, charge, or other concern; indemnification and other liability allocations; and other related matters;
  • Update policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility;
  • Conduct well-documented training as necessary to ensure that business associates and other members of the Covered Entity’s workforce understand and are prepared to comply with the expanded requirements of HIPAA, can detect potential breaches or other compliance concerns, and understand and are prepared to follow appropriate procedures for reported suspected violations; and
  • Pursue appropriate liability and other protection as appropriate to improve their ability to demonstrate both their commitment to compliance and their realistic efforts to ensure that these commitments are both appropriately documented on paper and operationalized in performance.

As part of these compliance and risk management efforts, most Covered Entities and their business associates will find it advisable to devote significant attention to the business associate relationship and its associated business associate agreements. Proper management of the expanded compliance obligations and liability exposures created by the HITECH Act generally will necessitate that Covered Entities and their business associates focus significant attention on the reworking of their operating and contractual relationships including the definition of detailed procedures for monitoring, reporting, investigating, and resolving potential breaches or other compliance concerns.

Even before the impending HIPAA changes scheduled to take effect on February 17, 2010, a strong need for more detailed contracting and planning of these relationships already existed. Since the enactment of HIPAA, the practice of many Covered Entities and their business associates of appending generic “business associate” representations onto existing services contracts without specific tailoring and planning has created undesirable ambiguities in these agreements. Further updating and tailoring of these and other provisions of services agreements has become even more important over the past year in light of the new breach notification mandates that took effect under the HITECH Act in September, 2009, changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, and the impending extension by the HITECH Act to business associates of direct liability for compliance with HIPAA scheduled to occur on February 17, 2010.

These and other stepped up oversight and enforcement activities make it critical that all Covered Entities and their business associates update their policies and practices, conduct training, tighten their compliance and data breach monitoring processes, strengthen their internal controls and documentation, and take other steps to prepare to defend their actions under the newly strengthened Privacy Rules.  Covered Entities and their business associates more than ever must ensure their ability to demonstrate to federal regulators the effectiveness of their HIPAA compliance efforts by both adopting the written policies and procedures required by HIPAA and continuously monitoring and administering these safeguards.  Covered Entities should consider reviewing the adequacy of their current HIPAA Privacy and Security compliance practices taking into consideration the Corrective Action Plan, published OCR noncompliance and enforcement statistics, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.

For Assistance With Compliance Or Other Concerns

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting the author of this article, Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer at (214) 270-2402 or via e-mail  here

Ms. Stamer is nationally known for her work, training and presentations, and publications on privacy and security of health and other sensitive information in health and managed care, employment, employee benefits, financial services, education and other contexts. 

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 22 years experience advising clients about health and other privacy and security matters.  A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer is the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010, as well as the author of “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of other highly regarded publications. She has continuously advises employers, health care providers, health insurers and administrators, health plan sponsors, employee benefit plan fiduciaries, schools, financial services providers, governments and others about privacy and data security, health care, insurance, human resources, technology, and other legal and operational concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters.  Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a many other national and local publications.  For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.  

Other Recent Developments

If you found this information of interest, you also may be interested in information about upcoming programs to be presented by Ms. Stamer, acquiring a copy of a recording or materials from previous programs she has presented, or arranging training for your organization.  For more information about these opportunities, contact Ms. Stamer directly.

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

Curran Tomko Tarski LLP Can Help

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.

A widely published author and speaker on HIPAA and other employee benefit and human resources related matters, Ms. Stamer has extensive experience advising health plans, their employer and other sponsors, health insurers, TPAs and other business associates and others about HIPAA and other health plan and privacy matters. Currently serving as both Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and as an ABA Joint Committee on Employee Benefits Council representative and Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer has more than 23 years experience assisting employers, insurers, plan administrators and fiduciaries and others to design, implement, draft and administer health and other employee benefit plans and to defend audits, litigation or other disputes by private parties, the IRS, Department of Labor, Office of Civil Rights, Medicare, state insurance regulators and other federal and state regulators. A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Examples of other recent updates that may be of interest include:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

 

©2010 Cynthia Marcotte Stamer. All rights reserved.

Comments Off on Privacy Rule Changes & Posting of Breach Notices On OCR Website Signal New Enforcement Risks For Health Plans, Their Sponsors & Business Associates | Corporate Compliance, Data Security, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Privacy, Risk Management, Wellness Programs | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Stamer To Present “2010 Health Plan Checkup” At Annual DFW ISCEBS Employee Benefits Fundamentals Workshop

February 22, 2010

 

Cynthia Marcotte Stamer will discuss the latest changes and requirements affecting employer sponsored group health plans, their sponsors, fiduciaries, insurers and vendors during her presentation titled “2010 Health Plan Checkup” at the Dallas/Fort Worth ISCEBS Annual Fundamentals Workshop currently scheduled for May 13, 2010 in Dallas. 

With Congress and federal regulators turning up the heat on health care, keeping up to date with the latest developments is both critical and increasingly challenging for employers, their employee benefits and human resources staff, and the fiduciaries, insurers, administrators and others dealing with health plan design and administration. Coming as U.S. employers continue to struggle to provide health benefits in the face of skyrocketing health benefit costs, tighter health plan medical privacy, nondiscrimination, mental health and other benefit mandates, and a host of other tighter new federal regulations impacting employment-based health plans and their sponsoring businesses, fiduciaries and administrators increasingly are forcing U.S. business leaders to make appropriate health plan cost and compliance management a key management priority. Ms. Stamer will discuss key developments, highlight new developments on the horizon, and provide tips to participants for monitoring and responding to these and other developments.  To register or for additional information, contact the Dallas/Fort Worth ISCEBS here.

Nationally recognized for her more than 22 years of work on managed care and other health and other employee benefits, human resources, insurance, and health care matters, Ms. Stamer assists employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend managed care and other medical benefit programs and practices. She also regularly advises and assists these and other clients to monitor and respond to evolving legislation, regulations, enforcement activities by federal and state regulators, evolving product and market changes, and private litigation and other disputes.  Past Chair of the American Bar Association (ABA) Health Law Section Managed Care & Insurance Interest Group and the Current Chair of the ABA RPTE Employee Benefits & Compensation Committee, an ABA Joint Committee on Employee Benefits Council member, Chair of the Curran Tomko Tarski Labor, Employment & Employee Benefits Practice and Board Certified in Labor & Employment Law, Ms. Stamer also is a widely published author and highly regarded speaker on these and other employee benefit and human resources matters.  Some other recent updates on these topics recently published by Ms. Stamer include :

For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

If you need assistance with these or other compliance concerns, wish to inquire about federal or state regulatory compliance audits, risk management or training, assistance investigating or responding to a known or suspected compliance or risk management concern, or need legal representation on other matters please contact the author of this update, Cynthia Marcotte Stamer, CTT Labor & Employment Practice Chair at cstamer@cttlegal.com, 214.270.2402; or your other preferred Curran Tomko Tarski LLP attorney.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here and learn more about  other Curran Tomko Tarski LLP attorneys here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information to Cstamer@CTTLegal.com or registering to participate in the distribution of these and other updates on our Solutions Law Press distributions here. For important information concerning this communication click here.    If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2010 Cynthia Marcotte Stamer. All rights reserved.

Comments Off on Stamer To Present “2010 Health Plan Checkup” At Annual DFW ISCEBS Employee Benefits Fundamentals Workshop | ARRA, CHIP, COBRA, COBRA Subsidy, Employee Benefits, Employers, ERISA, Excise Tax, Fiduciary Responsibility, Health Plans, HIPAA, Human Resources, Medicare Part D, Mental Health, Mental Health Parity, Prescription Drugs, Stimulus Bill, Tax, Wellness, Wellness Programs | Tagged: , , , , , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

SouthWest Benefits e-Connections Highlights Stamer Article About Importance For Health Plans, Their Sponsors & Business Associates To Update HIPAA Policies, Practices & Agreements

February 22, 2010

Cynthia Marcotte Stamer’s article Health Plans & Business Associates Face 2/17 Deadline To Comply With HIPAA Privacy Rule Changes is featured in the Winter, 2010 edition of the SouthWest Benefits Association e-Connection.  The article originally published in the Solutions Law Press HR & Benefit Update highlights the need for health plans, employer and other plan sponsors, administrators, and health insurers as well as the brokers, advisors, and other service providers performing functions on behalf of these entities to update their plans, policies, vendor agreements, practices, privacy notices and other communications and other materials, conduct training and take other steps in response to tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Founded in 1975, SouthWest Benefits is a regional, non-profit association designed to foster relationships and support the educational growth of professionals in employee benefits through an annual schedule of professional educational conferences and workshops. As part of these activities, the SWBA is scheduled to host its 35th Annual Conference on May 12th-14th at the Westin Riverwalk in San Antonio.  For information about these and other SWBA, see here.

A former Southwest Benefits Association board member who remains active in the organization, Ms. Stamer is a board certified labor and employment attorney recognized, internationally, nationally and locally for her more than 22 years of work, advocacy, education and publications on employee benefit and related matters.  As a core focus of her role as the Chair of the Curran Tomko Tarski Labor, Employment & Employee Benefits Practice, Ms. Stamer continuously advises and assists employee benefit plans, their sponsoring employers, fiduciaries, insurers, administrators and others to monitor and respond to evolving legal and operational requirements and to design, administer, document and defend medical and other welfare benefit, qualified and non-qualified deferred compensation and retirement, severance and other employee benefit, compensation, and human resources programs and practices. Chair of the American Bar Association (ABA) RPTE Employee Benefits & Compensation Committee, an ABA Joint Committee on Employee Benefits Council member, Ms. Stamer also is a widely published author and highly regarded speaker on these and other employee benefit and human resources matters who is active in many other employee benefits, human resources and other management focused organizations  For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

If you need assistance with these or other compliance concerns, wish to inquire about federal or state regulatory compliance audits, risk management or training, assistance investigating or responding to a known or suspected compliance or risk management concern, or need legal representation on other matters please contact the author of this update, Cynthia Marcotte Stamer, CTT Labor & Employment Practice Chair at cstamer@cttlegal.com, 214.270.2402; or your other preferred Curran Tomko Tarski LLP attorney.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here and learn more about other Curran Tomko Tarski LLP attorneys here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information to Cstamer@CTTLegal.com or registering to participate in the distribution of these and other updates on our Solutions Law Press distributions here. For important information concerning this communication click here.    If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to here.

©2010 Cynthia Marcotte Stamer. All rights reserved.

Comments Off on SouthWest Benefits e-Connections Highlights Stamer Article About Importance For Health Plans, Their Sponsors & Business Associates To Update HIPAA Policies, Practices & Agreements | Data Security, ERISA, Fiduciary Responsibility, HIPAA, Human Resources, Wellness Programs | Tagged: , , , | Permalink
Posted by Cynthia Marcotte Stamer

Health Plan Liability Heats Up As Plans & Businesses Face New Obligations, Costs & Exposures under New HIPAA Privacy Rules Effective 2/17 & Other Expanding Federal Health Plan Mandates

February 17, 2010

Today (February 17, 2010), employer and other health plans and health insurers (“covered entities”) and service providers performing functions on behalf of these entities (“business associates”) must begin complying with tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of the Health Insurance Portability & Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Coming as U.S. employers continue to struggle to provide health benefits in the face of skyrocketing health benefit costs, these and other new federal regulations impacting employment-based health plans and their sponsoring businesses, fiduciaries and administrators are forcing U.S. business leaders to make appropriate health plan cost and compliance management a key management priority.

2/17/10 & Other HIPAA Privacy Rule Changes Require Prompt Attention

The HIPAA Privacy Rule changes scheduled to take effect February 17, 2010 are likely to require that health plans and their business associates update their written policies, operational procedures, privacy notices and business associate agreements in several respects.

While the HITECH Act gave covered entities and business associates a year to complete the necessary arrangements to comply with these impending HITECH Act changes, many health plans and business associates have not completed the necessary arrangements despite expanding liability exposures that can result from noncompliance. To mitigate these exposures, covered entities and their business associates should act quickly both to update their services agreements, plans and policies, practices, and procedures, and to implement the training, oversight, and other management procedures necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

The risks of noncompliance for health plans, business associates and others mishandling protected health information are real and growing. Wrongful use, access or disclosure of protected health information in violation of HIPAA subjects participating health plans, health care providers, health care clearinghouses, their business associates and other workforce members and others to civil penalties,  criminal prosecution and, since February 17, 2009, civil lawsuits brought by state attorneys general on behalf of citizens of their states whose HIPAA rights were violated.  Since September 23, 2009, health plans and other HIPAA covered entities as well as their  business associates also became obligated to provide breach notification under new mandates imposed by the HITECH Act. 

In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can give rise to liability for health plans and other covered entities, business associates, employees and other members of their workforce and others improperly using, accessing or disclosing protected health information.  Federal and state prosecutions may and increasingly do criminally prosecute individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws .  See e.g., Cybercrime & Identity Theft:Health Information Security Beyond HIPAA; NY AG Cuomo Annoucment of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year.  Additionally, State courts also increasingly are permitting individuals harmed by HIPAA violations to use HIPAA as the foundation of state law duties used to maintain state negligence, invasion of privacy, retaliation or other claims for damages. Read more here

To manage these and other HIPAA-related risks, sponsoring employers, fiduciaries, administrators, insurers and their vendors should begin with carefully and timely reviewing and updating existing plan documents, vendor agreements, privacy notices and other communications and associated practices and policies.  The focus of these efforts definitely should seek both to adopt the specific technical changes necessary to make the health plans and their contracts technically comply on paper with these and other HIPAA mandates, and to tailor these documents, communications and practices promote operational compliance and minimize exposure to associated risks.  In relation to these efforts, sponsoring employers, insurers, fiduciaries and administrators also should ensure that required certifications from employers and other plan sponsors, representations from business associates, training and other compliance conditions are properly in place.  In this respect, employers sponsoring health plans should not overlook the potential need to adopt appropriate policies and implement needed training and safeguards to enable the health plan and the employer demonstrate, if necessary that HIPAA’s requirements for sharing protected health information with members of the employer’s workforce for plan administration, underwriting or certain other purposes have been satisfied.

Other Health Plan Updates Also Required

The HIPAA Privacy Rule changes effective today are only part of the ever-growing list of federal mandates that group health plan sponsors, fiduciaries, insurers, administrators and service providers need to be concerned about.  In addition to the new HIPAA Privacy Rule requirements taking effect today, health plans, their sponsors, administrators, fiduciaries, insurers, business associates and other service providers face a host of other new federal health plan and privacy mandates that have taken effect over the past year, and will become subject to additional mandates in upcoming months.  Consequently, while focusing on HIPAA compliance, health plans, their employer or other sponsors, insurers, fiduciaries, administrators and service providers also should not overlook the need to review and update their health plans in response to a host of other changes in federal health plan mandates.

In addition to otherwise applicable civil damage awards and civil penalty exposures that can result from violations of these requirements, new Internal Revenue Service regulations that took effect January 1, 2010 also require that employers, health plans or others self-report violations of certain of these requirements and self assess and pay resulting excise taxes arising under the Internal Revenue Code.  See, e.g., COBRA, HIPAA, GINA, Mental Health Parity or Other Group Health Plan Rule Violations Trigger New Excise Tax Self-Assessment & Reporting Obligations

The highly volatile health plan regulatory environment makes it likely that many health plans are not appropriately updated to comply with these and other federal requirements. In recent months, health plans, their employer or other sponsors, administrators and others also have become obligated to comply with a host of other expanded federal health plan rules and requirements. See e.g., New Mental Health Parity Regulations Require Health Plan Review & Updates; New Labor Department Rule Allows Employers 7 Days To Deliver Employee Contributions To Employee Benefit Plans; Newly Extended COBRA Subsidy Rules Require Employers, Administrators Send Required Notices & Update Health Plan Documents & Procedures Quickly;  Employer & Other Health Plans & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 23.

These and other developments make it imperative that health plans, their employer or other  sponsors, administrators, insurers, fiduciaries and service providers get serious about complying with these and other federal health plan mandates and managing health plan related liabilities and costs. Sponsors, insurers, fiduciaries and administrators should ensure that health plan documents, insurance and other vendor contracts, policies, procedures and communications are timely updated to comply with these and other emerging mandates.  When implementing these updates, parties concerned about costs or liabilities also should exercise care to ensure that plan documents, communications, contracts, administrative forms and procedures are optimally designed and drafted not only to be technically compliant, but also to support the enforceability of plan design and cost expectations, minimize administrative and other avoidable costs, and minimize liability exposures.  In furtherance of these efforts, employer and other plan sponsors also should consider tightening their practices and requirements for credentialing, selection, oversight and contracting with administrators and vendors, and take other prudent steps to manage health plan related risks.

Curran Tomko Tarski LLP Can Help

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.

A widely published author and speaker on HIPAA and other employee benefit and human resources related matters, Ms. Stamer has extensive experience advising health plans, their employer and other sponsors, health insurers, TPAs and other business associates and others about HIPAA and other health plan and privacy matters. Currently serving as both Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and as an ABA Joint Committee on Employee Benefits Council representative and Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer has more than 23 years experience assisting employers, insurers, plan administrators and fiduciaries and others to design, implement, draft and administer health and other employee benefit plans and to defend audits, litigation or other disputes by private parties, the IRS, Department of Labor, Office of Civil Rights, Medicare, state insurance regulators and other federal and state regulators. A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Examples of other recent updates that may be of interest include:

For important information concerning this communication click here.   

 ©2010 Cynthia Marcotte Stamer. All rights reserved.

Comments Off on Health Plan Liability Heats Up As Plans & Businesses Face New Obligations, Costs & Exposures under New HIPAA Privacy Rules Effective 2/17 & Other Expanding Federal Health Plan Mandates | COBRA, Corporate Compliance, Data Security, ERISA, Fiduciary Responsibility, FMLA, GINA, Health Care Reform, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Prescription Drugs, Privacy, Wellness Programs | Tagged: , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans & Business Associates Face 2/17 Deadline To Update Policies, Contracts & Procedures For HIPAA Privacy Rule Changes

February 15, 2010

Connecticut AG Lawsuit Highlights Expanding Civil Damage Exposure Risks Of Noncompliance 

By Cynthia Marcotte Stamer

By Wednesday, February 17, 2010, employer and other health plans and health insurers (“covered entities”) and service providers performing functions on behalf of these entities (“business associates”) must begin complying  with tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of the Health Insurance Portability & Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The changes scheduled to take effect February 17, 2010 are likely to require that health plans and their business associates update their written policies, operational procedures, privacy notices and business associate agreements in several respects.

While the HITECH Act gave covered entities and business associates a year to complete the necessary arrangements to comply with these impending HITECH Act changes, many health plans and business associates have not completed the necessary arrangements despite expanding liability exposures that can result from noncompliance. To mitigate these exposures, covered entities and their business associates should act quickly both to update their services agreements, plans and policies, practices, and procedures, and to implement the training, oversight, and other management procedures necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

2/17/10 Deadline To Comply With HITECH Act HIPAA Amendments

On February 17, 2010, health plans and other covered entities and their business associates will become subject to the latest to take effect in a series of amendments to the HIPAA enacted under the HITEC Act.  The new rules are part of a broader series of changes to HIPAA made by the HITECH Act that collectively both significantly expand the obligations of covered entities and their business associates to regarding the use, protection and disclosure of protected health information and the liability exposures that can result when covered entities or business associates violate these requirements.

The changes scheduled to take effect February 17, 2010 are likely to require that health plans and their business associates update their written policies, operational procedures, privacy notices and business associate agreements in several respects. For instance, effective February 17, 2010, the HITECH Act generally requires that covered entities and their business associates revise their written privacy policies, privacy notices and operating procedures:

  • To meet expanded requirements to honor individual’s requests for special restrictions on uses and disclosures of protected health information to health plans for payment purposes
  • To restrict protected health information disclosures to the minimum necessary required to accomplish otherwise allowable purpose;
  • To comply with new rules that require that the covered entity and its business associates treat any use, access or disclosure of any protected health information made for purposes of making communications about products or services as made for marketing, rather than operational, purposes which are prohibited by HIPAA except where HIPAA’s requirements are met;
  • To comply with new restrictions on certain fundraising communications made for operational purposes including expanded obligations to allow recipients to opt out of further fundraising communications;
  • To prohibit covered entities or business associates from selling protected health information without meeting the amended requirements of HIPAA that a valid HIPAA authorization from the subject of the information and specific reassurances from the purchaser concerning its subsequent use of the protected health information except as otherwise permitted by HIPAA;
  • To take into account these tightened restrictions on the use, access or disclosure of protected health information for purposes of complying with new HITECH Act breach notification requirements that took effect in September, 2009, which apply when a covered entity or its business associate knows or should know a breach of “unsecured protected health information” has occurred and for purposes of making the necessary changes in written policies and business associate agreements, training and operational procedures necessary to comply with these rules;
  • To directly require business associates comply with HIPAA’s requirements in the same manner as other covered entities and make it necessary or advisable that that service provider agreements between health plans and business associates be updated to reflect these and other changes to HIPAA; and
  • To implement the necessary written policy changes, notification updates, business associate agreement amendments, training, management oversight and other procedural changes necessary to demonstrate fulfillment with these requirements.

Noncompliance with these and other HIPAA requirements subjects covered entities and business associates to civil penalties, criminal prosecution, civil damage awards under lawsuits brought by state attorneys general, and other legal remedies.  In addition, timely update written policies, procedures, business associate agreements, training and documentation is imperative in order for covered entities and their business associates to fulfill their breach notification obligations under new rules enacted as part of the HITECH Act. 

Under the HITECH Act, health plans and other covered entities and their business associates have been obligated since September 23, 2009 to notify individuals who are the subject of protected health information, the Department of Health & Human Services and in some cases the media if and when a breach of “unsecured protected health information occurs. Failing to timely update written policies, procedures and training increases the likelihood that health plans, other covered entities or business associates will be obligated to provide breach notifications under these new rules, in addition to their otherwise applicable exposures under HIPAA.

HIPAA Enforcement & Liability Exposures Real and Rising

Health plans and other covered entities, their business associates and others involved in health plan design and operations generally should resist the temptation to underestimate their potential HIPAA exposure based on the limited enforcement of HIPAA by the Office of Civil Rights between 2003 and 2009 for a variety of reasons.

First, the changes taking effect on February 17, 2010 follow the implementation changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, when President Obama signed the HITECH Act into law and the new breach notification requirements added by the HITECH Act that took effect on September 23, 2009. The HITECH Act amendments to HIPAA’s remedies significantly increase the risk that health plans and other covered entities and their business associates will face civil lawsuits, civil or criminal penalties or other consequences for violating HIPAA. 

The expanded risks stem in part from the HITECH Act’s amendments to HIPAA’s remedy provisions.  Among other things, the HITECH Act amended HIPAA to:

  • Allow a State Attorney General to sue health plans or other covered entities, business associates or both that harm state citizens by committing HIPAA violations after February 16, 2009;
  • Expand the mandate by the Office of Civil Rights to investigate violations and audit compliance with HIPAA;
  • Require Office of Civil Rights to impose civil sanctions against health plans and other covered entities and their business associates involved in violations of HIPAA in accordance with tightened standards added to HIPAA by the HITECH Act;
  • Revise the criminal sanctions that the Department of Justice can seek against health plans and other covered entities, their business associates and others for violations of HIPAA;
  • Amend HIPAA to make clear that HIPAA’s criminal sanctions also can imposed on business associates, workforce members and other persons that improperly use, access and disclose protected health information in violation of HIPAA.

A HIPAA civil lawsuit filed on January 13, 2010 demonstrates the willingness of at least some states to exercise the new authority created by the HITECH Act on February 17, 2009 to sue covered entities and business associates that violate HIPAA for civil damages.

The HITECH Act empowers a state attorney general to sue covered entities or business associates engaging in HIPAA violations that harms citizens of the state for statutory damages equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year plus attorneys fees and costs

On January 13, 2010 Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. (Health Net) for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.   The suit also names UnitedHealth Group Inc. and Oxford Health Plans LLC, who have acquired Health Net.  The first attorney general enforcement action brought based on amendments made to HIPAA under the HITECH Act, Connecticut charges that Health Net violated HIPAA by failing to safeguard protected medical records and financial information on almost a half million Health Net enrollees in Connecticut then allowing this information to remain exposed for at least six months before notifying authorities and consumers.

Even before the HITECH Act amendments, however, the Office of Civil Rights and Department of Justice already were stepping up HIPAA investigation and enforcement.  The Department of Justice has obtained a variety of criminal convictions against violators of HIPAA.  See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health InformationMeanwhile, the Office of Civil Rights in February, 2009 announced that CVS Pharmacies, Inc. would pay $2.25 million to resolve HIPAA charges.  This announcement followed the Office of Civil Rights announcement in July, 2008 that Providence Health Care would pay $100,000 to resolve HIPAA violation charges.  While not resulting in the significant payments involved in CVS or Providence, the Office of Civil Rights also taken HIPAA enforcement actions against a broad range of other covered entities to redress HIPAA violations or other compliance concerns.  To review examples of these other actions, see here

Along side these governmental actions, state courts also increasingly are willing to allow individual plaintiffs to rely on violations of HIPAA as the basis for bringing state privacy, retaliation or other actions.  While prior to the recent HITECH Act amendments, federal courts had ruled that private plaintiffs could not sue under HIPAA for damages they incurred from a covered entity’s violation of HIPAA, state courts have allowed private plaintiff’s to use the obligations imposed by HIPAA as the basis of a covered entity’s duty for purposes of certain state law lawsuits.  In  Sorensen v. Barbuto, 143 P.3d 295 (Utah Ct. App. 2006), for example, a Utah appeals court ruled a private plaintiff could use HIPAA standards to establish that a physician owed a duty of confidentiality to his patients for purposes of maintaining a state law damages claim.  Similarly, the Court in Acosta v. Byrum, 638 S.E. 2d 246 (N.C. Ct. App. 2006) ruled that a plaintiff could use HIPAA to establish the “standard of care” in a negligence lawsuit.  Meanwhile, private plaintiffs employed by covered entities also are increasingly pointing to HIPAA as the basis for their retaliation claims. See, e.g.,  Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim.  Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for covered entities and their business associates that  fail to properly manage their HIPAA compliance obligations and risks.

Health Plans & Business Associates Should Take Timely Action To Comply & Manage Risks

As a consequence of these collective HITECH Act changes and growing HIPAA-related exposures, both health plans and business associates generally will find it necessary or advisable among other things to:

  • Conduct well-documented due diligence on each other’s practices and procedures to improve their ability to demonstrate both their commitment to compliance and their realistic efforts to ensure that these commitments are operationalized in performance;
  • Renegotiate their service provider agreements to detail the specific compliance obligations of each party relating to for auditing compliance, investigating potential breaches; providing required breach notifications; specify leadership and required cooperation in the event of a breach, charge, or other concern; indemnification and other liability allocations; and other related matters; and
  • Pursue appropriate liability and other protection as appropriate.

As part of these compliance and risk management efforts, most covered entities and their business associates will find it advisable to devote significant attention to the business associate relationship and its associated business associate agreements. 

Proper management of the expanded compliance obligations and liability exposures created by the HITECH Act generally will necessitate that health plans and other covered entities and their business associates focus significant attention on the reworking of their operating and contractual relationships. 

Even before the impending HIPAA changes scheduled to take effect on February 17, 2010, a strong need for more detailed contracting and planning of these relationships already existed. Since the enactment of HIPAA, the practice of many covered entities and their business associates of appending generic “business associate” representations onto existing services contracts without specific tailoring and planning has created undesirable ambiguities in these agreements.

Further updating and tailoring of these and other provisions of services agreements has become even more important over the past year in light of the new breach notification mandates that took effect under the HITECH Act in September, 2009, changes to HIPAA’s civil and criminal sanctions that took effect on February 17, 2009, and the impending extension by the HITECH Act to business associates of direct liability for compliance with HIPAA scheduled to occur on February 17, 2010.

Given these changes and the associated obligations and risks, both health plans and other covered entities and their business associates generally should act quickly to manage their own compliance and to minimize exposures that may result from the other’s compliance deficiencies.  As part of these efforts, both covered entities and their business associates generally should review and tighten business associate and other service agreement provisions to provide for more specific and comprehensive HIPAA-related contractual assurances, as well as improved cooperation, coordination, management and oversight.

Curran Tomko Tarski LLP Can Help

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.

A widely published author and speaker on HIPAA and other related matter, Ms. Stamer has extensive experience advising health plans, their employer and other sponsors, health insurers, TPAs and other business associates and others about HIPAA and other health plan and privacy matters. Currently serving as both Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and as an ABA Joint Committee on Employee Benefits Council representative and Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer has more than 23 years experience assisting employers, insurers, plan administrators and fiduciaries and others to design, implement, draft and administer health and other employee benefit plans and to defend audits, litigation or other disputes by private parties, the IRS, Department of Labor, Office of Civil Rights, Medicare, state insurance regulators and other federal and state regulators.  As part of this work, she regularly assists clients to review and update policies, practices, contracts, notices and procedures to comply with HIPAA and other requirements.  A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Examples of other recent updates that may be of interest include:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

 ©2010 Cynthia Marcotte Stamer. All rights reserved.

Comments Off on Health Plans & Business Associates Face 2/17 Deadline To Update Policies, Contracts & Procedures For HIPAA Privacy Rule Changes | ARRA, Employers, ERISA, Fiduciary Responsibility, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations, Privacy, Protected Health Information, Risk Management, Stimulus Bill | Tagged: , , , , , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Inapplicability of HIPAA Privacy To Disability Insurer Not License To Impose Unreasonable Claims Requirements

February 8, 2010

By Cynthia Marcotte Stamer 

While finding the Privacy Standards imposed by the Health Insurance Portability & Accountability Act (HIPAA) inapplicable to disability insurers, a recent Louisiana Court of Appeals nevertheless ruled that the insurer was not entitled to dismissal of the lawsuit challenging the denial of disability benefits brought by a state employee for failure to meet proof of loss requirements based on his failure to sign insurer required medical authorization.  Disability insurers and plan fiduciaries should heed the decision as a reminder that exemption from HIPAA does not amount to a license to impose unreasonable proof of loss or requirements inconsistent with a reasonable reading of the terms of the applicable plan or policy, or other applicable regulations.

Harris v. Metropolitan Life Ins. Co., — So.3d —-, 2010 WL 415262, 2009-0034 (La.App. 1 Cir. 2/5/10), involved a lawsuit challenging the continuing  refusal of Metropolitan Life Insurance to and its designates to approve the disability benefit claim of Louisiana Supreme Court employee Jack Harris.  Metropolitan repeatedly asked insisted that Mr. Harris submit to a physical examination and sign various medical and other authorizations including an “Attending Physician’s Statement” and an “Employee Authorization,” and sign certain other documents.  While Mr. Harris sent the “Attending Physician’s Statement” to his treating physician, he declined to sign the Employee Authorization and certain other subsequently requested consents on the grounds of HIPAA.  While  he provided to a HIPAA-compliant authorizations to his medical providers to release  all medical records, medical opinions, and medical reports relating to Mr. Harris’ past and current treatment for purposes of the claim, he declined and instead filed suit contending that the information and releases already provided met the proof of loss requirements of the policy.

Upon motion of Metropolitan, the trial court found that Mr. Harris’ failure to sign the authorizations and submit to the medical examination required by Metropolitan rendered his claim “premature.”  Upon appeal, however, the Court of Appeals overruled this determination.  While the Court of Appeals agreed with the trial court that the special authorization rules imposed by HIPAA did not apply to a disability insurer such as Metropolitan, it also ruled that its right to require a claimant to sign authorizations, submit to medical examinations or meet other proof of loss conditions must be reasonable in light of the terms of the policy.  Accordingly, although the Court of Appeals agreed that the proof of loss and other provisions of the disability policy authorized Metropolitan to require a disability claimant to undergo an independent medical examination “as often as reasonably required,” the Court of Appeals ruled that Mr. Harris’ submission to the independent medical examination was not a condition precedent to the initiation of litigation by an insured and that the “medical authorization” demanded by Metropolitan was far broader than what the policy allowed as reasonably required for the independent medical examination.  Accordingly, the Court of Appeals overruled the trial court’s dismissal of the disability claim and remanded the action to the trial court for hearing.

While affirming that the HIPAA Privacy Standards don’t directly apply to disability insurers, the Harris decision also demonstrates that disability insurers should not over-estimate the effect of this exemption. While HIPAA may not apply, disability insurers generally remain bound by the reasonable construction of their policy terms, taking into account otherwise applicable laws and regulations.  Accordingly, disability and other HIPAA-exempt insurers and plans should not confuse the inapplicability of the HIPAA authorization requirements for carte blanche to impose unreasonable authorization or other proof of loss requirements inconsistent with their policy terms.

If you have questions about or need assistance evaluating, commenting on or responding to this invitation or other employee benefit, employment, compensation, employee benefit, workplace health and safety, corporate ethics and compliance practices, concerns or claims, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer.  Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group, and a Council Member on the ABA Joint Committee on Employee Benefits, Ms. Stamer has more than 22 years experience advising and assisting employers, employee benefit plan and their fiduciaries, insurers, administrators, and others about policy and plan, process, and product design, administration, documentation, risk management and defense under ERISA, COBRA, HIPAA, labor and employment, tax, state banking and insurance, and other laws.  Her work includes extensive experience advising and defending employee benefit plan fiduciaries and insurers about the investigation of disability, health and other claims and appeals.  She also advises, assists, trains, audits and defends employers and others regarding the federal and state Sentencing Guideline and other compliance, equal employment opportunity, privacy,  leave, compensation, workplace safety, wage and hour, workforce reengineering, and other labor and employment and defends related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor and other federal and state regulators. Ms. Stamer also speaks, writes and conducts training extensively on these and other related matters. For additional information about Ms. Stamer and her experience, see here or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Some other recent updates that may be of interested include the following, which you can access by clicking on the article title:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2010 Cynthia Marcotte Stamer. All rights reserved. 

Comments Off on Inapplicability of HIPAA Privacy To Disability Insurer Not License To Impose Unreasonable Claims Requirements | Disability Plans, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, Health Plans, HIPAA, Human Resources, Insurance, Retirement Plans | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans & Employers Can Expect Pressure To Pay For Childhood Obesity Counseling From New American Academy of Pediatrics Report

January 25, 2010

By Cynthia Marcotte Stamer

New American Academy of Pediatrics recommendations calling for early intervention and intensive behavioral therapy to treat childhood obesity promise to increase demands for employer sponsored and other health plans to reimburse the costs of these treatments.

With health care providers and government officials increasingly emphasizing the need for prevention and intervention, employers and health insurers face greater pressure to offer health benefit coverage for weight management and other obesity prevention and treatment. Aside from determining what treatments to coverage generally, recent changes in the Americans With Disabilities Act statute and its enforcement and interpretation by the Equal Employment Opportunity Commission, the recently effective employment and health plan nondiscrimination rules of the Genetic Information and Nondiscrimination Act, health information and other privacy rules and other legal changes make the appropriate design and administration of obesity and other wellness, disease management and other programs targeting obesity or other chronic conditions legally and operationally challenging.  Employers and insurers concerned with these issues should exercise care to properly understand and appropriately manage the legal and operational complexities, risks, costs and benefits when designing health and other programs to manage health care, disability and other costs of obesity and other chronic diseases.

Read the report and about discrimination and other issues that employers and insurers may need to manage under evolving federal rules when deciding how to design and manage obesity and other wellness and disease management programs here.

If you have questions about wellness, disease management or other health and wellness benefit, disability prevention and management, or other employee benefit, employment, compensation, workplace health and safety, corporate ethics and compliance practices, concerns or claims, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer. 

Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group, an ABA Joint Committee on Employee Benefits Council Member, Past Chair of the ABA Managed Care & Insurance Group and RPTE Welfare Benefits Committee and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer is experienced advising and assisting government leaders, employers, health and other employee benefit plans and their fiduciaries, insurers, financial advisory services, and administrators, health care providers, and others about obesity and other disease management and wellness programs, as well as other related employee benefit and employment matters.  A widely published author on these and other health and disability benefit and management concerns, Ms. Stamer has advised and represented employers, health plans and others on these and other matters for more than 20 years. Author of the Personal Health Care Toolkit, Ms. Stamer also has lead the development of wellness and disease management initiatives for the National Kidney Foundation of North Texas and other organizations. Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience, see here or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Some other recent updates that may be of interested include the following, which you can access by clicking on the article title:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2010 Cynthia Marcotte Stamer. All rights reserved. 

Comments Off on Health Plans & Employers Can Expect Pressure To Pay For Childhood Obesity Counseling From New American Academy of Pediatrics Report | Corporate Compliance, EEOC, Employee Benefits, ERISA, Fiduciary Responsibility, GINA, Health Plans, Human Resources, Internal Investigations, Leave, Mental Health, Rehabilitation Act, Wellness, Wellness Programs | Tagged: , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Rising Enforcement and Changing Rules Require Prompt Review & Update of Health Plan Privacy & Data Security Policies & Procedures

December 25, 2009

Health plans and their business associates should review and update their practices and policies concerning the use access and disclosure of protected health information in response to changing requirements and expanding enforcement exposures under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

A series of Office of Civil Rights (OCR) enforcement action against health plans highlights the need for group health plans and insurers to exercise care to comply with HIPAA’s Privacy & Security Rules.  For example, OCR recently required a HMO to take a series of corrective actions based on findings from its investigation of a complaint that the HMO impermissibly disclosed a member’s protected health information by sending her entire medical record to a disability insurance company without her authorization.  Based on its investigation, OCR found the HMO violated HIPAA by relying on a form to make the disclosure that failed to meet the Privacy Rule requirements to qualify as a valid authorization under the Privacy Rule.  Based on these findings, OCR required the HMO among other things:

  • To create a new HIPAA-compliant authorization form that specifies what records and/or portions of the files will be disclosed, that the respective authorization will be kept in the patient’s record, together with the disclosed information and otherwise to meet the content requirements of the Privacy Rule for an authorization; and
  • To implement a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own “authorization” form.

Another action resulted after a national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant’s unauthorized family member. OCR’s investigation determined that a flaw in the health plan’s computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Privacy Rule.  To resolve this case, OCR required among other things that the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information.

In yet another case, OCR found an employee of a major health insurer impermissibly disclosed the PHI of one of its members without following the insurer’s authorization and verification procedures. Among other corrective actions to resolve the specific issues in the case, OCR required the health insurer to train its staff on the applicable policies and procedures, to take action to mitigate the harm to the individual and to counsel and give a written warning to an employee who made the disclosure.

While OCR declined to impose any civil penalties in any of these three instances, violations of the Privacy Rules have resulted in both criminal prosecutions by the Department of Justice and the payment of large civil settlements to OCR.  See, e.g., 2 New HIPAA Criminal Actions Highlight Risks From Wrongful Use/Access of Health Information  HIPAA Risks Soar As CVS Agrees to Pay $2.25 Million To Resolve HIPAA Charges & Stimulus Bill Amends HIPAA.  Furthermore, recent amendments to the Privacy Rules increase the likelihood that health plans and other covered entities violating the Privacy Rules will incur civil penalties.  The American Recovery and Reinvestment Act of 2009 (ARRA) amended the Privacy Rules effective October, 2009 to increase the civil penalties for Privacy Rule violations and to include new breach notification requirements for covered entities.  Additional ARRA amendments to HIPAA scheduled to take effect February 17, 2010 will further tighten the conditions under which covered entities may use, access or disclose PHI under the Privacy Rules, will expand the circumstances under which health plans and other covered entities will be required to account for dealings with PHI under HIPAA, and will extend the duty to comply with and liability for violations of the Privacy Rules to business associates.  In the meanwhile, employees increasingly are alleging Privacy Rule violations as part of their whistleblower or other wrongful discharge claims.  See, e.g. Retaliation For Filing HIPAA Complaint Recognized As Basis For State Retaliatory Discharge Claim.

In light of these changing rules and expanding liabilities, health plans and their business associates need to review and update their Privacy and Security practices, business associate agreements and privacy notices for compliance in light of the expanding enforcement activities of OCR and these evolving Privacy and Security Rules.  These and other developments make it imperative that health plans and other covered entities and their business associates immediately review and update their HIPAA and other data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws.

If your organization needs assistance reviewing, updating, administering or defending privacy and data security practices under HIPAA, state data breach or other laws, Curran Tomko Tarski LLP can help.  The author of this update, Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer has extensive experience advising and assisting health plans, health insurers, and other covered entities and business associates to review, update, document, enforce and defend their HIPAA and other privacy and data security policies and practices.  The author of numerous publications on HIPAA and other privacy and data security rules, she also speaks and conducts training extensively on these concerns. 

Ms. Stamer is experienced with assisting employers, insurers, administrators, and others to design and administer group health plans cost-effectively in accordance with HIPAA and other applicable federal regulations as well as well as advising and defending employers, health plans, insurers and others against privacy, tax, employment discrimination and other labor and employment, and other related audits, investigations and litigation, charges, audits, claims and investigations by the OCR, DOJ,IRS, Department of Labor and other federal and state regulators.. Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group, a representative to the ABA Joint Committee on Employee Benefits Council, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Ms. Stamer has advised and represented employers on these and other labor and employment, compensation, employee benefit and other personnel and staffing matters for more than 22 years. Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Some other recent updates that may be of interested include the following, which you can access by clicking on the article title:

 

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2009 Cynthia Marcotte Stamer. All rights reserved. 

Comments Off on Rising Enforcement and Changing Rules Require Prompt Review & Update of Health Plan Privacy & Data Security Policies & Procedures | Corporate Compliance, Data Security, Employee Benefits, Employers, ERISA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Privacy, Protected Health Information, Risk Management | Tagged: , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans Must Comply with New HHS Interim Final Data Breach Rules Beginning September 24; Register to Participate In September 10th Briefing on New Rules In Person or Via Telephone

August 20, 2009

Employers and other health plan sponsors, fiduciaries, insurers and service providers need to move quickly to prepare to comply with  “breach notification” regulations issued by the U.S. Department of Health and Human Services (HHS) yesterday (August 19, 2009).  The new data breach regulations will require health plans, as well as  health care providers, business associates and other covered entities (Covered Entities) under the personal health information privacy and security rules of the Health Insurance Portability & Accountability  (HIPAA) to notify affected individuals following a “breach” of “unsecured” protected health information. Scheduled for publication in the Federal Register on August 24, 2009, the new breach notification regulations are part of a series of new rules that implement new electronic personal health information data security and data breach notification requirements for Covered Entities added to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009 as part of American Recovery and Reinvestment Act of 2009 (ARRA).  Covered entities must begin complying with the new rules no later than September 24, 2009.

Curran Tomko Tarski, LLP Health Practice leader Cynthia Marcotte Stamer will conduct a briefing on these new protected health information data security and data breach rules on Thursday, September 10, 2009 from Noon to 1:30 P.M. Central Time. For a registration fee of $45.00, registrants will have the option to participate via teleconference or in person at the offices of Curran Tomko Tarski LLP, 2001 Bryan Street, Suite 2050, Dallas Texas 75201.  For more information, e-mail here.

 HITECH Act Data Breach and Unsecured PHI Rules

The new data breach notification rules are part of a series of recent HIPAA enacted under the HITECH Act to strengthen the federal rules requiring HIPAA covered entities to safeguard electronic and certain other protected health information. Enhanced data security and data breach rules added as part of these HITECH Act amendments obligate  covered entities and business associates to provide certain notifications following a breach of “unsecured”  “protected health information” within the meaning of HIPAA, as amended.  “Unsecured protected health information” is defined as protected health information that is not secured through the use of a technology or methodology specified by the HHS Secretary.

The new data breach regulations implement the HITECH Act requirement that Covered Entities and their business associates notify affected individuals, the Secretary of HHS, and in some cases, the media, of a breach and the form, manner, and timing of that notification.  For purposes of the HITECH Act, electronic protected health information is considered “unsecured” unless the covered entity has satisfied certain minimum standards for the protection of that data established pursuant to the HITECH Act.  HHS and the Federal Trade Commission previously issued certain initial guidance concerning the HITECH Act standards for determining when electronic personal health information qualifies as secure.  To help further define when electronic health information is treated as “unsecured” and therefore subject to the breach notification requirements, the data breach rules also update and clarify the previously issued existing HHS guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals published earlier this year by HHS to for purposes of determining when protected health information will be considered “unsecured” for purposes of the HITECH Act data breach rules.  Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.  

The HHS interim final regulations are effective September 24, 2009, which is the date 30 days after the date they will be published on the Federal Register and include a 60-day public comment period. To review the interim final data breach regulations, see here.  To review the HITECH Act Breach Notification Guidance and Request for Information, see here.

For More Information

The author of this article, Curran Tomko and Tarski LLP Labor and Employment and Health Care Practice Chair Cynthia Marcotte Stamer has extensive experience advising and assisting employer and other health plan sponsors, insurers, managed care providers and other health and insurance industry clients about HIPAA and other privacy and data security matters, as well as a diverse range of health care, employment, and emplyee benefit policy, regulatory, compliance, risk management and operational concerns. 

Current Chair of the American Bar Association (ABA) Real Property, Trusts & Estates Employee Benefit & Other Compensation Committee, an ABA Joint Committee on Employee Benefits Council member, past chair of the American Bar Association Health Law Section Managed Care & Insurance Section, Martindale Hubble AV-rated and recognized in International Who’s Who of Professionals, Ms. Stamer continuously advises health care providers, health care payers and administrators, employers, governments and others about health care, insurance, human resources, privacy and data security, technology, and other legal and operational concerns.  A popular lecturer and widely published author on privacy and data security and other related health care and health plan matters, Ms. Stamer also writes and speaks extensively on health and managed care industry privacy, data security and other technology, regulatory and operational risk management matters.  She currently serves as the Editor in Chief of the forthcoming 2010 edition of the Information Security Guide to be published by the American Bar Association Information Security Committee in 2010.  Examples of her other works include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security Beyond HIPAA,” and a host of others.  Her insights on health care, health insurance, human resources and related matters appear in the Atlantic Information Service Privacy Report, The Wall Street Journal, Business Insurance, the Dallas Morning News, Managed Healthcare, Health Leaders, and a various other national and local publications.  For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.  

We hope that this information is useful to you.  If you need assistance monitoring, evaluating or responding to these or other proposed health care or other regulatory reforms or with other health care compliance, risk management, transaction or operation concerns, please contact the author of this update, Curran Tomko Tarski LLP Health Practice Group Chair, Cynthia Marcotte Stamer, at (214) 270-2402, cstamer@cttlegal.com or your other favorite Curran Tomko Tarski LLP Partner.

We also encourage you and others to join the discussion about these and other health care reform proposals and concerns by joining the Coalition for Responsible Health Care Reform Group on Linkedin, registering to receive these updates here.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on our electronic Solutions Law Press Health Care Update publication available here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please register to receive this Solutions Law Press Health Care Update here and be sure that we have your current contact information – including your preferred e-mail- by creating or updating your profile at here. You can access other recent updates and other informative publications and resources provided by Curran Tomko Tarski LLP attorneys and get information about its attorneys’ experience, briefings, speeches and other credentials here.

For important information concerning this communication click here.  If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@SolutionsLawyer.net.

©2009 Cynthia Marcotte Stamer.  All rights reserved. 

Comments Off on Health Plans Must Comply with New HHS Interim Final Data Breach Rules Beginning September 24; Register to Participate In September 10th Briefing on New Rules In Person or Via Telephone | Corporate Compliance, ERISA, GINA, Health Plans, HIPAA, Human Resources, Insurance, Internal Controls, Internal Investigations | Tagged: , , , , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

HHS Reassignment Of HIPAA Enforcement Duties Signals Rising Seriousness of Enforcement Commitment

August 3, 2009

The Department of Health & Human Services (HHS) today (August 3, 2009) transferred authority for the administration and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to the Office for Civil Rights (OCR).  Prior to this announcement, responsibility for interpretation and enforcement of the Security Rule rested with the Centers for Medicare & Medicaid Services (CMS).  The change reflects the growing seriousness of HHS and others about enforcing federal privacy and data security mandates for health information.  HHS anticipates the transfer of authority will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected.

HHS has the authority for administration and enforcement of the federal standards for health information privacy called for in HIPAA. The Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. OCR has been responsible for enforcement of the Privacy Rule since 2003. The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), mandated improved enforcement of the Privacy Rule and the Security Rule.

Through a separate delegation, CMS continues to have authority for administration and enforcement of the HIPAA Administrative Simplification regulations, other than privacy and security of health information.

The transfer of Security Rule enforcement authority comes as guidance about new data breach rules for electronic protected health information is impending.  This impending guidance relates to  the implementation of new breach notification rules for covered entities and their business associates concerning their obligation to use of technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by amendments to HIPAA enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA) last February.  OCR officials have stated that they are working to publish the next set of regulations regarding these new breach notifications before the end of August, 2009. 

In addition to adding the breach notification requirements, the HITECH Act also tightened the HIPAA mandates in several other respects.  Among other things, it amended HIPAA to:

  • Broaden the applicability of the HIPAA’s Privacy Rules and penalties to include business associates;
  • Clarify that HIPAA’s criminal sanctions apply to employees or other individuals that wrongfully use or access PHI held by a covered entity;
  • Increase criminal and civil penalties for HIPAA Privacy Rules violators;
  • Allow State Attorneys General to bring civil damages actions on behalf of certain state citizens who are victims of HIPAA Privacy and Security Rule violations;
  • Modify certain HIPAA use and disclosure and accounting requirements and risks;
  • Prohibits sales of PHI without prior consent;
  • Tighten certain other HIPAA restrictions on uses or disclosures;
  • Tighten certain HIPAA accounting for disclosure requirements;
  • Clarify the definition of health care operations to excludes certain promotional communications; and
  • Expand the Business Associates Agreement Requirements.

These and other developments make it imperative HIPAA covered entities and their business associates take prompt action to immediately review and update their data security and privacy practices to guard against growing liability exposures under HIPAA and other federal and state laws. Covered entities must update policies and practices to avoid these growing liabilities. Business associates that have not already done so also must appoint privacy officers and adopt and implement privacy and data security policies and procedures fully compliant with HIPAA and other applicable federal and state rules, including amendments enacted as part of the American Recovery and Reinvestment Act of 2009 signed into law on February 17, 2009.

For more information about today’s announcement, see here.  See here for the initial guidance and request for comments issued by HHS regarding these new security standards.

Chair Elect of the American Bar Association RPTE Employee Benefits & Compensation Committee, an ABA Joint Committee on Employee Benefits  Council member, and Chair of the Curran Tomko Tarski Labor, Employment & Employee Benefits Practice, Cynthia Marcotte Stamer is  nationally and internationally recognized for her work assisting businesses, employee benefit plan fiduciaries and vendors, governments, and other entities to develop administer and defend cost-effective employee benefit other human resources programs, policies and procedures to meet their budgetary, risk management and compliance and other objectives.  Board certified in Labor & Employment law, Ms. Stamer applies her extensive experience regarding employment, employee benefit, tax, privacy and data security and other related laws to assists clients in a wide range of business and litigation contexts.   The co-founder of the Solutions Law Consortium, Ms. Stamer also makes extensive use of cloud computing and other technology in her own practice and provides input to human resources and other clients others about the use of these and other technology tools to manage employee benefit, human resources, internal controls and other operations.  In connection with this work, Ms. Stamer has works, writes and consults extensively with a diverse range of clients about  the development, use technology and other processes to streamline health and other benefit, payroll and other human resources, employee benefits, tax, compliance and other business processes and the management and protection of sensitive personal and other information and data.

If your organization or employee benefit plan needs assistance managing or evaluating options or responsibilities associated with the use of technology and data in connection with its health care, employee benefits, tax or other operation or other human resources, employee benefits or and compliance concerns, please contact Ms. Stamer at cstamer@cttlegal.com, (214) 270-2402; or your favorite Curran Tomko Tarski, LLP attorney.  For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi, LLP team, see here.

More Information & Resources

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of Ms. Stamer here /the Curran Tomko Tarski LLP attorneys here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information to Cstamer@CTTLegal.com or registering to participate in the distribution of these and other updates on our Solutions Law Press HR & Benefits Update distributions here. For important information concerning this communication click here.    If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject to support@SolutionsLawyer.net.

©2009 Cynthia Marcotte Stamer. All rights reserved.

Comments Off on HHS Reassignment Of HIPAA Enforcement Duties Signals Rising Seriousness of Enforcement Commitment | Employee Benefits, HIPAA, Human Resources, Insurance, Internal Controls, Privacy | Tagged: , , , , , , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Next Entries »