$2.4M+ St. Joseph Health HIPAA Settlement Teaching Lesson For Other HIPAA-Covered Entities & Business Associates

October 25, 2016

St. Joseph Health (SJH)  has agreed to pay  a $2.4 million plus settlement payment, conduct an enterprise-wide risk analysis and implement and administer a comprehensive correction plan under a Resolution Agreement and Corrective Action Plan (SJH Settlement) reached with the  Department of Health & Human Services (HHS) Office of Civil Rights (OCR)  to settle OCR charges that SJH violated the Privacy & Security Rules of the Health Insurance Portability & Accountability Act (HIPAA) by allowing files containing electronic protected health information (ePHI) of 31,800 individuals that SJH created for its participation in the Medicare meaningful use program to be publicly accessible on the internet from February 1, 2011, until February 13, 2012.  The SJH Settlement announced here by OCR on October 18, 2016 demonstrates the mounting HIPAA enforcement exposures that HIPAA-covered health care providers, health plans, healthcare clearinghouses and their business associates (Covered Entities) risk when a breach of ePHI or other prohibited use, access, destruction or disclosure of ePHI or other personal health information (PHI) results from the failure of the Covered Entity or its business associates to properly protect or secure it in accordance with HIPAA.  A review of the SJH Settlement drives home the point that Covered Entities should not assume that meaningful use or other electronic recordkeeping systems containing ePHI are properly secured in accordance with HIPAA.

SJH Investigation & Charges Resulting In $2.4 Million+ Settlement

A nonprofit integrated Catholic health care delivery system sponsored by the St. Joseph Health Ministry, who through its 24,000 employees and 6,000 physicians provides a range of health care services to more than 137,000 inpatients and 3.6 million outpatients each year at SHS’ 4 acute care hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations located throughout California and in parts of Texas and New Mexico.

OCR’s charges against SJH arose out of OCR’s investigation into a 2012 breach notification report SJS filed with OCR.  On February 14, 2012, SJH reported to OCR that files containing electronic protected health information (ePHI) of 31,800 individuals from five of the SJH hospitals-St. Jude Medical Center, Mission Hospital, Queen of the Valley Medical Center, Santa Rosa Memorial Hospital, and Petaluma Valley Hospital that SJH created for its participation in the meaningful use program were publicly accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.

SJH’s report to OCR indicated that this public access resulted from a configuration within its network server in which PDF files containing following patient information were uploaded: patient names; BMI; blood pressure; lab results; smoking status; diagnoses lists; medication allergies; advance directive status and demographic information (language, ethnicity, race, sex, and birth date). The server SJH purchased to store the files included a file sharing application whose default settings allowed anyone with an internet connection to access them. Upon implementation of this server and the file sharing application, SJH did not examine or modify it. As a result, the public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information  from February 14, 2012 until SJH blocked external access to the ePHI when it shut down the application February 13, 2012.

OCR’s investigation indicated the following potential violations of the HIPAA Rules:

  • From February 1, 2011 to February 13, 2012, SJH potentially disclosed the PHI of 31,800 individuals;
  • Evidence indicated that SJH failed to conduct an evaluation in response to the environmental and operational changes presented by implementation of a new server for its meaningful use project, thereby compromising the security of ePHI;
  • Although SJH hired a number of contractors to assess the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by SJH, evidence indicated that this was conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis, as required by the HIPAA Security Rule.

SJH Settlement Agreement Highlights

Under the settlement agreement with SJH that OCR announced on October 18, 2016, SJH must pay a $2,140,500 settlement payment and adopt a comprehensive corrective action plan which among other things, requires SJH to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures.  SJH’s Chief Executive Officer, Annette M. Walker, is named in the Corrective Action Plan as the SJH authorized representative and contact person responsible for overseeing the CAP implementation.

Among other things, the Corrective Action Plan specifically requires that SJH:

  • Within 240 days, conduct an enterprise-wide analysis and provide a report to OCR which includes a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, and prepare and deliver to OCR for review an enterprise-wide risk analysis that identifies all security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by SJH, its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic protected health information (ePHJ);
  • Revise this risk analysis plan as directed by OCR based on its review of the presented risk analysis;
  • Develop and implement to the satisfaction of OCR an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis;
  • Distribute the risk management plan as finally approved by OCR to to workforce members involved with implementation of the plan within 30 days of OCR approval;
  • Revise to OCR’s satisfaction, adopt and implement within 30 days of OCR’s approval compliant HIPAA policies and procedures;
  • Prepare for review of OCR training materials and once approved by OCR, provide initial training to required workforce members, and obtain certification of completion of that training from each required workforce member within 60 days of OCR’s approval of the training and thereafter at least annually as long as the Corrective Action Plan remains in force;
  • Promptly conduct a documented investigation of any information indicating a potential workforce member violation of the new HIPAA policies in the manner required by OCR and if the investigation confirms a violation (Reportable Event), notify OCR of the relevant facts, findings, corrective actions and sanctions imposed against the violating workforce member in the manner required by the Corrective Action Plan;
  • Submit annual report to OCR signed and attested to by an SJH officer, which contains the information and attestations of compliance with the requirements of the Corrective Action Plan in accordance with the Corrective Action Plan;
  • Retain for inspection and copying and provide to OCR upon request all documents and records relating to compliance with this Corrective Action Plan for six (6) years from the Effective Date of the SJH Settlement Agreement.

Take Away For Other Covered Entities & Business Associates

To help safeguard their own organizations against potential sanctions from OCR and other HIPAA enforcement risks, Covered Entities and their business associates should ensure that their organization possesses a well-documented current enterprise-wide risk assessment, as well as has in place and is administering as necessary to maintain the currency and adequacy of its risk assessment strong practices for conducting documented evaluations of their own HIPAA security, policies, practices, audits and investigations and other procedures necessary to comply with HIPAA, taking into account recent OCR guidance,  its initiation of its Phase II audit program, the insights offered by the SJH and other OCR’s ever growing list of enforcement actions and compliance tools, as well as changes in systems, documentation, software, equipment or other occurrences within the operations of the Covered Entity or business associate’s operations that could impact the currency and adequacy of its risk assessment or otherwise raise compliance risks..

 In this respect, Covered Entities and business associates are encouraged to take special note of the advisability of specifically reviewing and updating their HIPAA policies, practices, business associate agreements, training, oversight and documentation to in response to OCR’s;

As breaches of PHI and other violations of HIPAA also frequently give rise to responsibilities or risks under a broad range of other federal and state laws medical and financial privacy and data security, Medicare and other terms of federal program participation, medical credentialing, licensure and ethics, insurance and Employee Retirement Income Security Act fiduciary responsibilities in the case of health plans, contractual,  tort and other exposures, Covered Entities and their business associates also generally are best served to take into account these other responsibilities and exposures in conjunction with the design and administration of their HIPAA compliance and risk management policies and practices.

Covered Entities and their business associates also should seek advice from legal counsel regarding the adequacy of their compliance, investigatory, training, management oversight, training, reporting, documentation, document retention and other processes and procedures that could reduce risks of HIPAA violations and position the organization to effectively and more efficiently respond to a potential breach, audit, investigation or enforcement action and mitigate the costs and potential liability exposures that increasingly attends these events.  In addition, given the typically high financial, operational and legal costs typically incurred to conduct investigations, report and redress breaches, and respond to OCR audits or investigations, much less make any payments and implement any corrective actions required to settle OCR changes, most Covered Entities and their business associations will want to consider the advisability and adequacy of insurance and other sources of funding or indemnification for the often substantial costs that often attend a HIPAA breach, audit or enforcement event. Since HIPAA violations under certain circumstances also can give rise to felony criminal liability, boards of directors and other leaders of Covered Entities and business associates also will want to ensure that their HIPAA compliance policies and practices also are incorporated and monitored by management as part of their organization’s overall Federal Sentencing Guideline Compliance programs and practices.

About The Author

Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, Ms. Stamer has worked extensively throughout her career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and representing clients on privacy and data security concerns and other health industry matters, Ms. Stamer also has served for several years as a scrivener for the ABA JCEB’s meeting with OCR, the Chair of the Southern California ISSA Health Care Privacy & Security Summit, and an editorial advisory board member, author, program chair or steering committee member, and faculties for a multitude of other programs and publications regarding privacy, data security, technology and other compliance, risk management and operational concerns in the health care, health and other insurance, employee benefits and human resources, retail, financial services and other arenas.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Council, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com  or contact Ms. Stamer via email here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.

©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™  All other rights reserved.  


New Rule Gives ONC More Power Over Electronic Health Record Providers

October 16, 2016

The Office of the National Coordinator for Health IT (ONC) will have more oversight over certifying electronic health records and other technologies that store, share and analyze health information for consumers and the authority to ask developers to pull noncompliant products from the market under a new Final Rule scheduled for official publication in the Federal Register on October 19, 2016. The Final Rule will give ONC power to decertify health IT products and issue a cease-and-desist notice to prevent the future sale or marketing of products that don’t comply with regulations or found to pose a risk to public health or safety. Developers of decertified products also would have to notify affected customers and providers who purchased the products. 

About The Author
Foundation and the Texas Bar Foundation, current American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, former scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and JCEB Council Representative, former Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, the former Board President and Treasurer of the Richardson Development Center for Children Early Childhood Intervention Agency, and past Board Compliance Chair of the National Kidney Foundation of North Texas, and Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, the author of this update, attorney Cynthia Marcotte Stamer, is AV-Preeminent (the highest) rated attorney repeatedly recognized for her nearly 30 years of experience and knowledge representing and advising healthcare, health plan and other health industry and others on these and other regulatory, workforce, risk management, technology, public policy and operations matters as a Martindale-Hubble as a “LEGAL LEADER™” and “Texas Top Rated Lawyer” in Health Care Law, Labor and Employment Law, and Business & Commercial Law and among the “Best Lawyers In Dallas” by D Magazine.

Ms. Stamer’s health industry experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

Ms. Stamer also is known for her experience in HIPAA and other privacy and data security and breach concerns. The scribe for ABA JCEB annual agency meeting with OCR for many years, Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers and other plan sponsors, banks and other financial institutions, and others on risk management and compliance with HIPAA, FACTA, trade secret and other information privacy and data security rules, including the establishment, documentation, implementation, audit and enforcement of policies, procedures, systems and safeguards, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns. Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others. In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans, as well as HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can get more information about her health industry experience here or contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here..
About Solutions Law Press Inc.™

Solutions Law Press, Inc.™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

If you found these updates of interest, you may be interested in other recent Solutions Law Press, Inc. updates available here.

For important information about this communication see here. THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2016 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press, Inc. All other rights reserved.
 


Providers, Health Plans Should Confirm Copy Charges Comply With New OCR HIPAA Guidance

May 26, 2016

Healthcare providers, health plans, healthcare clearinghouses (Covered Entities) and their business associates should verify that their copying charges and other policies and practices for responding to requests of individuals for copies and other access to protected health information (PHI) comply with the Privacy and Security Rules (Privacy Rule) of the Health Insurance Portability & Accountability Act of 1996 (HIPAA) as construed in a new Frequently Asked Question (FAQ published May 24, 2016 as follow up to two other sets of guidance about HIPAA assess rights published by the Department of Health & Human Services Office of Civil Rights (OCR) since January, 2016.

New OCR Guidance Sheds New Light On HIPAA Access Rule Requirements

The OCR FAQ titled New Clarification – Up to $6.50 Flat Rate Option published May 24, 2016 is the third in a series of guidance materials OCR discussing OCR’s interpretation of individuals’ core right under HIPAA to access and obtain a copy of their PHI from Covered Entities since January, 2016 (the “Access Rule”).   With  OCR Enforcement Data already showing Access Rule violations among the top 5 issues in cases investigated by OCR every year since HIPAA took effect in 2003, Covered Entities can expect OCR to include Access Rule violations among the Privacy Rule violations OCR likely will target as it continues to ramp up its HIPAA audit, investigation and enforcement efforts.

As part of its sweeping requirements concerning the use, access, protection and disclosure of PHI, the Access Rule provisions of the Privacy Rule generally require Covered Entities to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the Covered Entity or its business associate.  This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the Covered Entity to transmit a copy to a designated person or entity of the individual’s choice as long as the Covered Entity or a business associate on its behalf maintains the PHI, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the Covered Entity, another provider, the patient, etc.).

With its publication of the New Clarification FAQ on May 24, 2016, OCR now has published three pieces of guidance (the Access Guidance) about its interpretation of the Access Rule since January, 2016 that it hopes will promote greater understanding of and compliance with the Access Rule by Covered Entities:

  • In January, OCR published a comprehensive Fact Sheet (Fact Sheet) and the first in a series of topical frequently asked questions (FAQs) addressing patients’ right to access their medical records, which set forth requirements providers must follow in sharing medical records with patients, including that they must do so in a timely manner and in a format that works for the patient;
  • On March 1, OCR published a second set of FAQs accessible here addressing when Covered Entities may charge individuals to provide requested copies of their PHI, how Covered Entities must calculate these fees, when Covered Entities must send an individual’s PHI to a third party designated by the individual in its request for copies, and other issues relating to access rights guaranteed by the Privacy Rule; and
  • On May 24, 2016 OCR clarified this prior Access Guidance by publishing another FAQ titled New Clarification – Up to $6.50 Flat Rate Option .

Collectively, the Access Guidance addresses a broad range of questions and issues about the responsibilities of Covered Entities under the Access Rule including what PHI Covered Entities must provide as well as detailed guidance about when and how much Covered Entities can charge individuals for requested copies of their PHI or summaries of their PHI.  Since the OCR Access Guidance may restrict the charge that health care providers or other Covered Entities can charge for copies or other access more than applicable state law rules,  Covered Entities need to verify their practices comply with OCR’s Access Guidance in addition to any applicable state law rules.  The Access Guidance makes clear that OCR expects Covered Entities and their business associates to ensure that their charges for copying or providing other access to PHI guaranteed by the Privacy Rule complies with this Access Guidance even if that practice does not violate applicable state law.

Are You Charging Too Much? Charges For Copies of PHI Must Meet OCR Privacy Rule Guidance 

Concerning charges for copies of PHI requested by an individual, Privacy Rule § 164.524(c)(4) permits a Covered Entity to impose a reasonable, cost-based fee if the individual requests a copy of the PHI (or agrees to receive a summary or explanation of the information) provided that the Covered Entity properly and timely notifies the individual of the cost and properly determines the cost in accordance with OCR guidance.

Many physicians or other health care providers that use electronic health records (EHRs) certified to allow individuals to access their PHI in the system may be unaware that OCR views the availability of electronic access from the EHR affects the health care provider’s ability to charge for copies of requested PHI.  OCR’s position is that the Privacy Rule prohibits a Covered Entity from charging an individual for requested copies of PHI when the request is fulfilled by the individual accessing the requested PHI using the View, Download, and Transmit functionality of the provider’s certified electronic health record.

Assuming the request for access or copies is not fulfilled through download from an HER, the Access Guidance indicates q Covered Entity must use one of three potentially applicable OCR-approved methods to calculate the fee the Covered Entity charges an individual for copies of PHI or an agreed upon summary provided that the method used takes into account only labor costs for copying or producing an agreed upon summary as defined by OCR.:

  • The “Actual Cost” Method;
  • The “Average Cost” Method; or
  • For electronic copies of PHI maintained electronically, the “Flat Fee” Method.

Charging a flat fee not to exceed $6.50 is an option available to those entities that do not want to go through the process of calculating actual or average costs for requests for electronic copies of PHI under either the Actual Cost or Average Cost Methods.  However, by its terms, the “Flat Fee” Method is only an allowable for Covered Entities to use to avoid calculating actual or average allowable costs when a Covered Entity is providing electronic copies of PHI maintained electronically (and presumably when the access request is not fulfilled through download from an EHR).  When applicable, the Flat Fee Method allows a Covered Entity to charge a flat fee for all requests for electronic copies of PHI maintained electronically, provided the fee does not exceed $6.50, inclusive of all labor, supplies, and any applicable postage.  The New Clarification – Up to $6.50 Flat Rate Option clarifies that use of the Flat Rate Method is permitted not required when a Covered Entity  provides copies of PHI maintained electronically other through download directly from a certified EHR. Covered Entities that wish to charge more than the $6.50 flat rate allowed under the Flat Rate Option retain the right, if the facts and evidence warrant, to use either the Actual Cost Method or Average Cost Method to calculate the fee for providing electronic records electronically within the boundaries of what is permissible under the Privacy Rule.

Where the Flat Fee Method is inapplicable or the Covered Entity elects not to use it, the Covered Entity must use either the Actual Cost Method or the Average Cost Method to calculate the fee in accordance with OCR’s rules.

Under the “Actual Cost Method,” a Covered Entity may calculate actual labor costs to fulfill the request, as long as the labor included is only for copying (and/or creating a summary or explanation if the individual chooses to receive a summary or explanation) and the labor rates used are reasonable for such activity. The Covered Entity may add to the actual labor costs any applicable supply (e.g., paper, or CD or USB drive) or postage costs. Covered Entities that charge individuals actual costs based on each individual access request still must be prepared to inform individuals in advance of the approximate fee that may be charged for providing the individual with a copy of her PHI. An example of an actual labor cost calculation would be to time how long it takes for the workforce member of the Covered Entity (or business associate) to make and send the copy in the form and format and manner requested or agreed to by the individual and multiply the time by the reasonable hourly rate of the person copying and sending the PHI. What is reasonable for purposes of an hourly rate will vary depending on the level of skill needed to create and transmit the copy in the manner requested or agreed to by the individual (e.g., administrative level labor to make and mail a paper copy versus more technical skill needed to convert and transmit the PHI in a particular electronic format);

Under the “Average Cost” Method, in lieu of calculating labor costs individually for each request, a Covered Entity can develop a schedule of costs for labor based on average labor costs to fulfill standard types of access requests, as long as the types of labor costs included are the ones which the Privacy Rule permits to be included in a fee (e.g., labor costs for copying but not for search and retrieval) and are reasonable. Covered Entities may add to that amount any applicable supply (e.g., paper, or CD or USB drive) or postage costs.    This standard rate can be calculated and charged as a per page fee only in cases where the PHI requested is maintained in paper form and the individual requests a paper copy of the PHI or asks that the paper PHI be scanned into an electronic format. However OCR’s guidance states that OCR does not consider per page fees for copies of PHI maintained electronically to be reasonable for purposes of 45 CFR 164.524(c)(4);

Whether using the Actual Cost Method or the Average Cost Method, a Covered Entity must only take into account only “reasonable labor costs associated only with the: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; and (2) labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.

OCR’s guidance makes clear that the reasonability of the charges for labor must reflect the technology available for providing this access.  In this respect, OCR’s guidance states that a Covered Entity cannot charge a fee under HIPAA for individuals to access the PHI from a health care provider’s EHR technology that has been certified as being capable of making the PHI accessible.   OCR’s position is that where a Covered Entity fulfills an individual’s HIPAA access request by allowing the individual to access the requested PHI using the View, Download, and Transmit functionality of the provider’s certified electronic health record (CEHRT), an individual requests or agrees to access her PHI available through the View, Download, and Transmit functionality of the CEHRT, there are no labor costs and no costs for supplies to enable such access.

To the extent that access is not provided through an CEHRT, the fee a Covered Entity charges an individual to provide copies of requested PHI or an agreed upon summary may include only the cost of:

  • Copying the PHI; and
  • Preparation of an explanation or summary of the PHI, if agreed to by the individual.

As interpreted by OCR, labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.  For example, labor for copying may include labor associated with the following, as necessary to copy and deliver the PHI in the form and format and manner requested or agreed to by the individual:

  • Labor for copying the PHI requested by the individual, whether in paper or electronic form;
  • Supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media;
  • Postage, when the individual requests that the copy, or the summary or explanation, be mailed; and
  • Creating and executing a mailing or e-mail with the responsive PHI.

See 45 CFR 164.524(c)(4).

The Access Guidance states the fee may not include costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; outsourcing the function of responding to individual requests for PHI copies or other costs not listed above even if such costs are authorized by State law.  See 45 CFR 164.524(c)(4).

Of course, in any case, OCR’s guidance makes clear that regardless of how a entity chooses to calculate its fee to copy PHI, the Privacy Rule requires that the Covered Entity inform the requesting individual in advance of the approximate fee that may be charged for providing the copy requested and otherwise comply with the Privacy Rule as interpreted by OCR’s latest guidance concerning providing individuals access to PHI and other requirements.

Documented, Timely Action Needed To Mitigate OCR Audit, Investigation & Enforcement Risks

Beyond operationally complying with the Access Guidance, Covered Entities and their business associates generally will want to update their policies, practices and training to position themselves to defend their calculation of any charges made for copies provided in response to a request for access protected by the Privacy Rule and other compliance with the requirements of that rule and the otherwise applicable provisions of HIPAA as well as include monitoring and enforcement of these requirements as part of their ongoing HIPAA compliance efforts.

These and other HIPAA compliance efforts are particularly critical in light of the expanding audit, investigation and enforcement activities of OCR under the Privacy Rule.  OCR’s publication of the Access Guidance coincides with a surge in OCR’s HIPAA audit, investigation and enforcement activities.

OCR’s publication of the new Access Guidance comes as OCR is ramping up its interpretation, oversight and enforcement of HIPAA generally.  See, Brace For OCR HIPAA Audits & Enforcement; Update Privacy Practices For New OCR HIPAA Enforcement, Security & Records Access Guidance.  While continuing to offer guidance like the Access Guidance and other tools to encourage and help Covered Entities and their business to understand and comply with the Privacy Rule, OCR also increasingly now uses the expanded penalties and authority created by the HITECH Act to punish Covered Entities for violating Privacy Rule requirements.  HITECH Act amendments, among other things, broadened the duties of OCR to audit, investigate and sanction HIPAA violations as well as tightened various requirements of the Privacy Rules.

The risks to Covered Entities from violating the Privacy Rules are significant and growing.  Since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA, Covered Entities and their business associates face heightened risks that violations of HIPAA will trigger liability to pay a Civil Monetary Penalty (CMP) to OCR or other sanctions.  The two, multimillion dollar CMPs now imposed by OCR against two different Covered Entities caught violating the Privacy Rules only reflect a small part of OCR’s CMP enforcement.  Equally or perhaps more significant are the growing stream of high dollar settlement payments that an ever-growing list of Covered Entities to resolve OCR Privacy Rule violation charges that otherwise also might result in OCR’s assessment of a CMP against them.  See, e.g. $2 Million+ HIPAA Settlement, FAQ Warn Providers Protect PHI From Media, Other Recording Or Use; Provider Pays $750K To Settle HIPAA Business Associate Rule Breach Charges; North Memorial Hit With $3.9M HIPAA Fine For HIPAA Violations;  OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000; Lehey Pays $850K After Unencrypted Laptop Stolen.

These already substantial enforcement risks are likely to rise as OCR begins auditing the compliance of selected Covered Entities as part of its recently announced 2016 audit program.  As a result of audit requirements enacted as part of the HITECH Act, Covered Entities now need to be prepared to demonstrate the adequacy of their HIPAA compliance in case their organization becomes targeted for audit under OCR’s 2016 audit program.  Even if not selected for audit, however, Covered Entities and their business associates still face the risk that a complaint filed with OCR will trigger an OCR investigation of their practices for providing copies or other access or other compliance with the Privacy Rules.  In light of the growing aggressiveness of OCR’s enforcement, Covered Entities and their business associates need to be prepared to demonstrate their efforts to comply. Those that cannot show adequate compliance efforts should be prepared for potentially substantial CMP or Resolution Agreement payments and other sanctions.  Consequently, Covered Entities and their business associates should move quickly to review and update their practices, communications and training to comply with this new Access Guidance as well as other guidance, enforcement and other developments that might impact the adequacy of their existing practices under the Privacy Rule generally.  Because of the risk that any review or investigation of the adequacy of its practices or complaints under the Privacy Rule will involve sensitive information or analysis, Covered Entities and their business associates are cautioned to consider the advisability of arranging for this analysis and review to be conducted within the scope of attorney-client privilege under the guidance of legal counsel experienced with the Privacy Rules and other related legal concerns.

 About The Author

Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served for several years as the scrivener for the ABA JCEB’s meeting with OCR for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see www.CynthiaStamer.com, email Ms. Stamer cstamer@solutionslawyer.net or telephone her at (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at www.SolutionsLawPress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.  ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved.

 

 

 


North Memorial Hit With $3.9M HIPAA Fine For HIPAA Violations

March 25, 2016

Just one day after the announcement of a $1,555,000 settlement with North Memorial Health Care of Minnesota under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) announced March 17, 2016 that Feinstein Institute for Medical Research has agreed to pay  $3.9 million and will undertake a substantial corrective action plan to settle charges of HIPAA violations and  bring its operations into compliance.  The two settlements drive home again the substantial liability that health care providers, health plans, health care clearinghouses and their business associates risk for violating HIPAA. Register for March 30, 2016 Solutions Law Press, Inc. briefing to learn the latest about this and other new regulatory and enforcement guidance impacting the HIPAA compliance obligations and risks of health care providers, health plans, health care clearinghouses and their business associates.  3/30 Webex Shares Latest On Security, Patient Access & Other HIPAA Developments.

Feinstein Settlement

Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices.

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car.  The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels.  “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

The resolution agreement and corrective action plan may be found here.

The Feinstein settlement announcement follows yesterday’s announcement of a $1.5 million plus settlement with North Memorial to resolve HIPAA charges that it failed to implement a business associate agreement with a major contractor and failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.  The settlement highlights the importance for healthcare providers, health plans, healthcare clearinghouses and their business associates to comply with HIPAA’s business associate agreement and other HIPAA organizational, risk assessment, privacy and security, and other requirements.

OCR’s announcement emphasizes the importance of meeting these requirements.  “Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

The settlement comes from charges filed after OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.

OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure — including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

In addition to the $1,550,000 payment, North Memorial is required to develop an organization-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.

The Resolution Agreement and Corrective Action Plan can be found here.

Settlement Latest Reminder To Manage HIPAA Risks

Following up on OCR’s imposition of its second-ever HIPAA Civil Monetary Penalty (CMP) and the latest in an ever-growing list of settlements by Covered Entities under HIPAA, the North Memorial settlement is another example of the substantial liability that Covered Entities face for violating HIPAA.  To avoid these liabilities, Covered Entities must constantly be diligent to comply with the latest guidance of OCR concerning their obligations under HIPAA.  As OCR continues to issue additional guidance as well as supplement this guidance through information shared in settlement agreements like the North Memorial settlement, even if Covered Entities reviewed their practices in the last 12-months, most will want to update this review in response to new OCR guidance and enforcement actions, including new guidance on obligations to provide plan members or other subjects of protected health information with access to or copies of their records and other guidance, as well as the ever expanding list of enforcement actions by OCR.

Since the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) amended HIPAA, Covered Entities face growing responsibilities and liability for maintaining the security of ePHI. In response to HITECH, OCR continues to use a carrot and stick approach to encouraging and enforcing compliance. As demonstrated by OCR’s imposition of the second-ever HIPAA Civil Monetary Penalty (CMP) of $239,000 against Lincare and the ever-growing list of Resolution Agreements OCR announces with other Covered Entities, OCR continues to step up enforcement against Covered Entities that breach the Privacy and Security Rules. See OCR’s 2nd-Ever HIPAA CMP Nails Lincare For $239,000.

On the other hand, OCR also continues to encourage voluntary compliance by Covered Entities by sharing guidance and tools to aid Covered Entities to understand fulfill their HIPAA responsibilities such as the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (Crosswalk) unveiled by OCR on February 24, 2016.The crosswalk that maps the HIPAA Security Rule to the standards of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) as well as mappings to certain other commonly used security frameworks.

While stating that the HIPAA Security Rule does not require use of the NIST Cybersecurity Framework, OCR says it hopes the Crosswalk will provide “a helpful roadmap” for HIPAA Covered Entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help Covered Entities safeguard health data in a time of increasing risks and help them to identify potential gaps in their programs. At the same time, OCR’s announcement of its release of the Crosswalk also cautions users that “use of the Framework does not guarantee HIPAA compliance.” Rather, OCR says “the crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.

With a USA Today report attributing more than 40 percent of data breaches to the healthcare industry over the last three years 91 percent of all health organizations having reporting breaches over the last two years, OCR has made clear that it intends to zealously investigate and enforce the Security Rules against Covered Entities that violate the Security Rules against Covered Entities that fail to take suitable steps to safeguard the security of PHI as required by the HIPAA Security Rule. To meet these requirements, the HIPAA Security Rule requires that Covered Entities conduct and be prepared to product documentation of their audit and other efforts to comply with the Security Rule Most Covered Entities will want to consider including an assessment of the adequacy of their existing practices under the Crosswalk and other requirements disclosed by OCR in these assessments to help position the Covered Entity to defend or mitigate HIPAA CMP and other liabilities in the event of a HIPAA breach or audit.

Latest Guidance Clarifies Patient Rights To Access PHI & Allowable Charges

In addition to maintaining adequate security, HIPAA also requires Covered Entities to provide individuals with the right to access and receive a copy of their health information from their providers, hospitals, and health insurance plans in accordance with the HIPAA Privacy Rule. In response to recurrent difficulties experienced by individuals in exercising these rights, OCR recently published supplemental guidance to clarify and promote better understanding and compliance with these rules by Covered Entities.

OCR started this process in January, 2015 by releasing a comprehensive fact sheet (Access fact sheet) and the first in a series of topical frequently asked questions (FAQs) addressing patients’ right to access their medical records, which set forth requirements providers must follow in sharing medical records with patients, including that they must do so in a timely manner and in a format that works for the patient.

Earlier this month, OCR followed up by publishing on March 1, 2016 a second set of FAQs addresses additional issues, including the fees individuals may be charged for copies of their health information and the right of individuals to have their health information sent directly to a third party if they so choose.

Covered entities and their business associates should move quickly to review and update their business associate agreements and other  practices to comply with this new guidance as well as watch for further guidance and enforcement about these practices from OCR.

Other Key HIPAA Regulatory & Enforcement Changes Raise Responsibilities & Risks

OCR’s new guidance on access to PHI follows a host of other regulatory and enforcement activities. While the particulars of each of these new actions and guidance vary, all send a very clear message: OCR expects Covered Entities and their business associates to comply with HIPAA and is offering tools and other guidance to aid them in that process.. In the event of a breach or audit, Covered Entities and their business associates need to be prepared to demonstrate their efforts to comply. Those that cannot show adequate compliance efforts should be prepared for potentially substantial CMP or Resolution Agreement payments and other sanctions.

Register For 3/30 Webex Briefing

Solutions Law Press, Inc.™ invites to catch up on the latest guidance on the Covered Entities’ responsibility under HIPAA to provide access to patients to PHI by registering here to participate in the “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” Webex briefing by attorney Cynthia Marcotte Stamer that Solutions Law Press, Inc.™ will host beginning at Noon Central Time on Wednesday, March 30, 2016. Get additional information or register here.

About The Author

Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care and health plan concerns.

Recognized as “LEGAL LEADER™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble and as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine; Ms. Stamer has more than 28 years of extensive proven, pragmatic knowledge and experience representing and advising health industry clients and others on operational, regulatory and other compliance, risk management, product and process development, public policy and other key concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, the Co-Managing Member of Stamer Chadwick Soefje PLLC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served for several years as the scrivener for the ABA JCEB’s meeting with OCR for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clientson the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at http://www.solutionslawpress.com such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here.  ©2016 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ All other rights reserved.


3/30 Webex Shares Latest On Security, Patient Access & Other HIPAA Developments

March 9, 2016

Solutions Law Press, Inc. ™ Invites You To A Special WebEx Briefing  

HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments

Wednesday, March 30, 2016

1:00 P.M.-2:00 P.M. Eastern | 12:00 P.M.-1:00 P.M. Central 11:00 A.M-12:00 P.M. Mountain | 10:00 A.M-11:00 A.M. Pacific

Health care providers, health plans, health care clearinghouses and their business associates (Covered Entities) face new imperatives to review and tighten their practices to ensure their practices comply with recently released guidance from the U.S. Department of Health & Human Services Office of Civil Rights (OCR)) emphasizing and clarifying the responsibilities of health care providers, health plans and the healthcare clearinghouses under the Health Insurance Portability & Accountability Act of 1996 (HIPAA) to provide access to individuals that are the subject of protected health information or “PHI” to access or copies of their PHI in accordance with HIPAA’s rules and other recent HIPAA guidance and enforcement. With OCR’s recent release of added guidance and OCR enforcement statistics continuing to show HIPAA access rule violations among the most common HIPAA violations and OCR stepping up HIPAA enforcement, health care providers, health plans, healthcare clearinghouses can expect heightened scrutiny and enforcement of these requirements. Additionally, Covered Entities also should evaluate the adequacy of their other practices in light of other recent OCR guidance and enforcement actions.

Solutions Law Press, Inc.™ invites to catch up on the latest guidance on HIPAA’s requirements to provide access to patients to PHI by registering here to participate in the Solutions Law Press, Inc.™ “HIPAA Update: The Latest On Security, Patient Access & Other HIPAA Developments” WebEx briefing from Cynthia Marcotte Stamer on Friday, March 18, 2016.   During the Briefing, Ms. Stamer will provide participants with:

√ An update on OCR enforcement actiions and guidance over past 12 months

√ A detailed discussion of OCR’s new guidance about when Covered Entities must provide PHI access or copies to patients

√ Discuss rules and best practices for verifying the identity and credentials of an individual requesting PHI as a patient or personal representative of a patient

√ Share tips for contracting and dealing with business associates to facilitate administration of patient PHI access and security compliance activities

√ Share other practical considerations & best practices for compliance and risk management

√ Respond to participant questions on a time permitting basis

√ More

ABOUT THE SPEAKER

Recognized as “Legal Leader™ Texas Top Rated Lawyer” in both Health Care Law and Labor and Employment Law, a “Texas Top Lawyer,” and an “AV-Preeminent” and “Top Rated Lawyer” by Martindale-Hubble, singled out as among the “Best Lawyers In Dallas” in employee benefits 2015 by D Magazine;, Cynthia Marcotte Stamer is a practicing attorney and management consultant, author, public policy advocate and lecturer widely recognized for her more than 28 years extensive work and pragmatic thought leadership, experience, publications and training on HIPAA and other privacy, medical records and data and other health care, health plan and employee benefits, workforce and related regulatory and other compliance, performance management, risk management, product and process development, public policy and other key operational concerns.

As a core component of her work as the Managing Shareholder of Cynthia Marcotte Stamer, PC, the Co-Managing Member of Stamer Chadwick Soefje PLLC, Ms. Stamer has worked extensively throughout her nearly 30 year career with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, their technology and other vendors and service providers, and others on legal and operational risk management and compliance including extensive involvement with HIPAA, FACTA, PCI, trade secret, physician and other medical confidentiality and privacy, federal and state data security and data breach and other information privacy and data security rules and concerns; prevention, investigation, response, mitigation and resolution of known or suspected data or privacy breaches or other incidents; defending investigations or other actions by plaintiffs, OCR, FTC, state attorneys’ general and other federal or state agencies; reporting and redressing known or suspected breaches or other violations; business associate and other contracting; insurance or other liability management and allocation; process and product development, contracting, deployment and defense; evaluation, commenting or seeking modification of regulatory guidance, and other regulatory and public policy advocacy; training and discipline; enforcement, and a host of other related concerns for public and private health care providers, health insurers, health plans, technology and other vendors, employers, and others. Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on HIPAA and other privacy and data security risks and requirements as well as a broad range of other health, employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with the US Congress, Departments of Labor, Treasury, Health & Human Services, Federal Trade Commission, HUD and Justice, as well as a state legislatures attorneys general, insurance, labor, worker’s compensation, and other agencies and regulators as well supports clients in defending litigation as lead strategy counsel, special counsel and as an expert witness.

Beyond her extensive involvement advising and defending clients on these matters, Ms. Stamer also has served as the scrivener for the ABA JCEB’s meeting with OCR on HIPAA for many years. She returns as Chair of the Southern California ISSA Health Care Privacy & Security Summit for the third year in 2016, as well as speaks and serves on the steering committee of a multitude of other programs.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares shared her thought leadership, experience and advocacy on HIPAA and other concerns by her service in the leadership of a broad range of other professional and civic organization including her involvement as the Vice Chair of the North Texas Healthcare Compliance Association, Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE; Coalition on Patient Empowerment, a founding Board Member and past President of the Alliance for Healthcare Excellence, past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Board Compliance Chair and Board member of the National Kidney Foundation of North Texas, current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee, current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a current Defined Contribution Plan Committee Co-Chair, former Group Chair and Co-Chair of the ABA RPTE Section Employee Benefits Group, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative and current RPTE Representative to the ABA Health Law Coordinating Counsel, former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division, past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee, a former member of the Board of Directors of the Southwest Benefits Association and others.

Ms. Stamer also is a highly popular lecturer, symposia chair and author, who publishes and speaks extensively on health and managed care industry, human resources, employment and other privacy, data security and other technology, regulatory and operational risk management. Examples of her many highly regarded publications on these matters include “Protecting & Using Patient Data In Disease Management: Opportunities, Liabilities And Prescriptions,” “Privacy Invasions of Medical Care-An Emerging Perspective,” “Cybercrime and Identity Theft: Health Information Security: Beyond HIPAA,” as well as thousands of other publications, programs and workshops these and other concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients, serves on the faculty and planning committee of many workshops, seminars, and symposia, and on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com or the Stamer│Chadwick │Soefje PLLC or contact Ms. Stamer via email to here or via telephone to (469) 767-8872.

 REGISTRATION & PROGRAM DETAILS

Registration Fee per course is $75.00 per person. Registration Fee Discounts available for groups of three or more participants from the same organization. Limited opportunities for participation. Registration accommodated on a first come basis. Completed registration and payment required via website registration 48 hours in advance of the program. No checks or cash accepted. Persons not registered with completed payment at least 48 hours in advance will only participate subject to availability and completed registration and payment. Payment only accepted via website PayPal. Register Here!

The Webex will be conducted over the internet. Participants will receive access code and instructions for sign on to participate in the Webex and/or dial in to participate in the program via telephone after processing of completed registration. Participants must have access to a computer with internet access and to telephone access to dial in via telephone to participate in the program. Solutions Law Press, Inc. is not responsible for any interruption or interference in participation resulting from limitations in the internet connectivity, computer, telephone or other equipment used by the participant to access and participate in the program.

ABOUT SOLUTIONS LAW PRESS, INC.™

Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders better anticipate legal and operational issues impacting their organization’s performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives. Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs. For additional information about upcoming programs, to inquire about becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com.   These programs, publications and other resources are provided only for general informational and educational purposes, the applicability of which to any particular circumstances may be impacted by legal changes, the specific facts and circumstances or other factors. Consequently, neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are not intended to or shall not be construed as establishing an attorney-client relationship, to constitute legal advice or a substitute for legal advice, or otherwise provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties that any participant or any other party can rely upon the information or any statements presented herein. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to info@solutionslawpress.com. If you would prefer not to receive communications from Solutions Law Press, Inc. send an e-mail with “Solutions Law Press Unsubscribe” in the Subject to support@solutionslawyer.net. CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request.   ©2016 Solutions Law Press, Inc.

 

 

 


Health Care Providers, Provide ACO, Reimbursement Reform Input To HHS

March 2, 2015

Physicians, nurses, hospitals and other health care providers, patients and others concerned about health care reimbursement and other health care reforms in the United States should sign up and participate in the new Health Care Payment Learning and Action Network (“Network”) the Department of Health and Human Services (HHS) is creating to help shape ongoing reform  of the US health care delivery system to promote better care, smarter spending, and healthier people through the expansion of new health care payment models and other reforms.  HHS is inviting private payers, employers, providers, patients, states, consumer groups, consumers, and other partners within the health care community to register here to participate in the Network activities including  kickoff event scheduled for Wednesday, March 25, 2015.

HHS hopes cooperation through the Network will help the entire U.S. health care system match and exceed the following HHS goals for Medicare:

  • Tying 30 percent of payments to quality or value through alternative payment models, such as Accountable Care Organizations (ACOs) or bundled payment arrangements by the end of 2016, and
  • Tying 50 percent of payments to alternative payment models by the end of 2018. The Network will also support the broader goal of tying the vast majority of payments in the health care system to quality or value.

As HHS moves forward to promote ACOs and other reforms, it is particularly important that providers and patients provide feedback and input about the goals and ideas HHS is promoting as solutions for “improving” health care.  While HHS often touts consolidation of care into ACOs and other reimbursement strategies using government generated standards of quality as the best means of improving quality and cost-effectiveness, many patients, providers and others worry that HHS ACO and other reimbursement reforms as presently implemented or contemplated by HHS cut costs at the expense of patients by denying reimbursement or other access for effective care options based on cost or ignore other patient needs in the name of cost savings.  Active, consistent participation in these and other opportunities for input is critical for those concerned about these and other issues to question and shape the goals, assumptions and actions HHS, Congress and others take to change the U.S. health care system.

HHS says most Network meetings will occur virtually by teleconference or webinar. In-person meetings will occur in the Washington D.C. area. HHS plans to hold the first live streaming of the kickoff event on Wednesday, March 25, 2015. HHS will share details through e-mails to those registered online to participate in the network.  Individuals and organizations concerned about ACO and other HHS-lead health care reforms are urged to register and participate in the Network as one of the ways to help monitor and shape health care reform as lead by HHS.

About Project COPE: The Coalition On Patient Empowerment &  Coalition on Responsible Health Policy

Do you have feedback or other experiences to share about medical debit, ACA or other health care challenges?  Have ideas for helping improve our system, helping Americans cope with these and other health care challenges or other health care matters? Know other helpful resources or experiences that you are willing to share?  Are you concerned about health care coverage or other health care and disability issues or policy concerns?  Join the discussion and share your input by joining Project COPE: Coalition for Patient Empowerment here.

Sharing and promoting the use of practical practices, tools, information and ideas that patients and their families, health care providers, employers, health plans, communities and policymakers can share and offer to help patients, their families and others in their care communities to understand and work together to better help the patients, their family and their professional and private care community plan for and manage these  needs is the purpose of

The Coalition and its Project COPE are founded and operate based on the belief that health care reform and policy must be patient focused, patient centric and patient empowering.  The best opportunity to improve access to quality, affordable health care for all Americans is for every American, and every employer, insurer, and community organization to seize the opportunity to be good Samaritans.  The government, health care providers, insurers and community organizations can help by providing education and resources to make understanding and dealing with the realities of illness, disability or aging easier for a patient and their family, the affected employers and others. At the end of the day, however, caring for people requires the human touch.  Americans can best improve health care by not waiting for someone else to step up:  Step up and help bridge the gap when you or your organization can. Speak up to help communicate and facilitate when you can.  Building health care neighborhoods filled with good neighbors throughout the community is the key.

The outcome of this latest health care reform push is only a small part of a continuing process.  Whether or not the Affordable Care Act makes financing care better or worse, the same challenges exist.  The real meaning of the enacted reforms will be determined largely by the shaping and implementation of regulations and enforcement actions which generally are conducted outside the public eye.  Americans individually and collectively clearly should monitor and continue to provide input through this critical time to help shape constructive rather than obstructive policy. Regardless of how the policy ultimately evolves, however, Americans, American businesses, and American communities still will need to roll up their sleeves and work to deal with the realities of dealing with ill, aging and disabled people and their families.  While the reimbursement and coverage map will change and new government mandates will confine providers, payers and patients, the practical needs and challenges of patients and families will be the same and confusion about the new configuration will create new challenges as patients, providers and payers work through the changes.

We also encourage you and others to help develop real meaningful improvements by joining Project COPE: Coalition for Patient Empowerment here by sharing ideas, tools and other solutions and other resources. The Coalition For Responsible Health Care Policy provides a resource that concerned Americans can use to share, monitor and discuss the Health Care Reform law and other health care, insurance and related laws, regulations, policies and practices and options for promoting access to quality, affordable healthcare through the design, administration and enforcement of these regulations.

Other Helpful Resources & Other Information

We hope that this information is useful to you.   If you found these updates of interest, you also be interested in one or more of the following other recent articles published on the Coalition for Responsible Health Care Reform electronic publication available here, our electronic Solutions Law Press Health Care Update publication available here, or our HR & Benefits Update electronic publication available hereYou also can get access to information about how you can arrange for training on “Building Your Family’s Health Care Toolkit,”  using the “PlayForLife” resources to organize low-cost wellness programs in your workplace, school, church or other communities, and other process improvement, compliance and other training and other resources for health care providers, employers, health plans, community leaders and others here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail by creating or updating your profile here. You can reach other recent updates and other informative publications and resources.

Examples of some of these recent health care related publications include:

For More Information Or Assistance

If you need assistance reviewing or responding to these or other health care related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 26 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.  The scribe for the American Bar Association (ABA) Joint Committee on Employee Benefits annual agency meeting with the Department of Health & Human Services Office of Civil Rights,  Ms. Stamer has worked extensively with health care providers, health plans, health care clearinghouses, their business associates, employers, banks and other financial institutions, and others on risk management and compliance with HIPAA and other information privacy and data security rules, investigating and responding to known or suspected breaches, defending investigations or other actions by plaintiffs, OCR and other federal or state agencies, reporting known or suspected violations, business associate and other contracting, commenting or obtaining other clarification of guidance, training and enforcement, and a host of other related concerns.  Her clients include public and private health care providers, health insurers, health plans, technology and other vendors, and others.  In addition to representing and advising these organizations, she also has conducted training on Privacy & The Pandemic for the Association of State & Territorial Health Plans,  as well as  HIPAA, FACTA, PCI, medical confidentiality, insurance confidentiality and other privacy and data security compliance and risk management for  Los Angeles County Health Department, ISSA, HIMMS, the ABA, SHRM, schools, medical societies, government and private health care and health plan organizations, their business associates, trade associations and others.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information concerning this communication click here.THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.

©2015 Cynthia Marcotte Stamer, P.C. Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.

 

CMS To Host Provider Webinar To Celebrate National Health IT Week

September 13, 2013

In celebration of the third annual National Health IT Week is September 16-20, the Centers for Medicare & Medicaid Services (CMS) will host several webinars and launching new eHealth tools and resources that it intends to help providers participate in eHealth programs.  These programs may be of interest to providers as well as payers who are interested in what providers are doing to use eHealth tools.

Details of Webinar

The eHealth Provider Webinar will be held on Thursday, September 19th from 12:00 p.m. to 1:30 p.m. ET.  CMS plans to present an overview of the eHealth programs and its eHealth initiative—an initiative that aligns health IT and electronic standards programs on:

  • Administrative Simplification
  • eRx Incentive Program
  • ICD-10
  • Quality Measurement

A portion of the webinar will also be dedicated to Q&A.

Registration Information

Space is limited.  Register now to secure your spot for the eHealth Provider WebinarOnce registration is complete, you will receive a follow-up email with step-by-step instructions on how to log-in to the webinar.  Listserv messages are sent prior to each webinar session with registration information.

If you’d like to view past webinars, the PowerPoint presentations and recordings can now be accessed on the Resources page of the eHealth website.  For more information about CMS’ eHealth Initiatives, visit the CMS eHealth website for the latest news and updates on CMS’ eHealth initiatives.

For More Information Or Assistance

If you need assistance responding to this invitation or with other health industry regulatory, enforcement or other developments, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes extensive work advising, representing and training health industry and other clients on HIPAA and other privacy, data protection and breach and other related matters.  She also advises hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Scribe for the ABA JCEB annual Technical Sessions meeting with OCR for the past three years, Ms. Stamer also is recognized for her extensive publications and programs including numerous highly regarding publications and programs on HIPAA and other privacy and data security concerns as well as a wide range of other workshops, programs and publications on other compliance, operational and risk management, and other health industry matters. Ms. Stamer also has extensive other public policy and regulatory experience with HHS and other U.S. federal and state agencies as well as internationally. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.  You can get more information about her health industry experience here. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here. If you or someone else you know would like to receive future updates about developments on these and other concerns from Ms. Stamer, see  here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, compensation, data security and privacy, health care, insurance, and other key compliance, risk management, internal controls and other key operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here. For important information about this communication click here.  THE FOLLOWING DISCLAIMER IS INCLUDED TO COMPLY WITH AND IN RESPONSE TO U.S. TREASURY DEPARTMENT CIRCULAR 230 REGULATIONS.  ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN.  

©2013 Cynthia Marcotte Stamer, P.C.  Non-exclusive license to republish granted to Solutions Law Press.  All other rights reserved.


%d bloggers like this: